On Mon, Jul 13, 2020 at 10:04:10PM +0200, Salvatore Bonaccorso wrote: > Hi Antonio, > > On Mon, Jul 13, 2020 at 11:19:38AM -0300, terce...@debian.org wrote: > > On Sun, Jul 12, 2020 at 03:11:30PM +0200, Salvatore Bonaccorso wrote: > > > On Sat, Jun 27, 2020 at 09:10:01PM +0200, Salvatore Bonaccorso wrote: > > > > Source: ruby-sanitize > > > > Version: 4.6.6-2 > > > > Severity: grave > > > > Tags: security upstream > > > > Justification: user security hole > > > > > > > > Hi, > > > > > > > > The following vulnerability was published for ruby-sanitize. > > > > > > > > CVE-2020-4054[0]: > > > > | In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less > > > > | than 5.2.1, there is a cross-site scripting vulnerability. When HTML > > > > | is sanitized using Sanitize's "relaxed" config, or a custom config > > > > | that allows certain elements, some content in a math or svg element > > > > | may not be sanitized correctly even if math and svg are not in the > > > > | allowlist. You are likely to be vulnerable to this issue if you use > > > > | Sanitize's relaxed config or a custom config that allows one or more > > > > | of the following HTML elements: iframe, math, noembed, noframes, > > > > | noscript, plaintext, script, style, svg, xmp. Using carefully crafted > > > > | input, an attacker may be able to sneak arbitrary HTML through > > > > | Sanitize, potentially resulting in XSS (cross-site scripting) or other > > > > | undesired behavior when that HTML is rendered in a browser. This has > > > > | been fixed in 5.2.1.o > > > > > > Attached ist a preliminary debdiff with the fix, but two prerequisites > > > before "fix: Don't treat :remove_contents as `true` when it's an > > > Array" and "feat: Remove useless filtered element content by default". > > > > > > Antonio, would it be possible to let it go trough your second pair of > > > eyes, with the pre-knolege that I'm not familiar with the package but > > > trying to address the CVE-2020-4054. > > > > > > If those look correct, the plan would be to do 4.6.6-2.1~deb10u1 based > > > on that for buster-security. > > > > Yes, those patches look OK. > > > > Thanks for your work. > > Thanks for your review! So propsing to upload the NMU first, and then > later handle the DSA for it based on that version if no negative > reports come in.
Sure, just do it.
signature.asc
Description: PGP signature
