[DRE-maint] Bug#963808: ruby-sanitize: CVE-2020-4054: HTML sanitization bypass in Sanitize
terceiro at debian.org
terceiro at debian.org
Mon Jul 13 15:19:38 BST 2020
On Sun, Jul 12, 2020 at 03:11:30PM +0200, Salvatore Bonaccorso wrote:
> On Sat, Jun 27, 2020 at 09:10:01PM +0200, Salvatore Bonaccorso wrote:
> > Source: ruby-sanitize
> > Version: 4.6.6-2
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> >
> > Hi,
> >
> > The following vulnerability was published for ruby-sanitize.
> >
> > CVE-2020-4054[0]:
> > | In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less
> > | than 5.2.1, there is a cross-site scripting vulnerability. When HTML
> > | is sanitized using Sanitize's "relaxed" config, or a custom config
> > | that allows certain elements, some content in a math or svg element
> > | may not be sanitized correctly even if math and svg are not in the
> > | allowlist. You are likely to be vulnerable to this issue if you use
> > | Sanitize's relaxed config or a custom config that allows one or more
> > | of the following HTML elements: iframe, math, noembed, noframes,
> > | noscript, plaintext, script, style, svg, xmp. Using carefully crafted
> > | input, an attacker may be able to sneak arbitrary HTML through
> > | Sanitize, potentially resulting in XSS (cross-site scripting) or other
> > | undesired behavior when that HTML is rendered in a browser. This has
> > | been fixed in 5.2.1.o
>
> Attached ist a preliminary debdiff with the fix, but two prerequisites
> before "fix: Don't treat :remove_contents as `true` when it's an
> Array" and "feat: Remove useless filtered element content by default".
>
> Antonio, would it be possible to let it go trough your second pair of
> eyes, with the pre-knolege that I'm not familiar with the package but
> trying to address the CVE-2020-4054.
>
> If those look correct, the plan would be to do 4.6.6-2.1~deb10u1 based
> on that for buster-security.
Yes, those patches look OK.
Thanks for your work.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20200713/64fca4d8/attachment.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list