[DRE-maint] Bug#963808: ruby-sanitize: CVE-2020-4054: HTML sanitization bypass in Sanitize
Salvatore Bonaccorso
carnil at debian.org
Mon Jul 13 21:04:10 BST 2020
Hi Antonio,
On Mon, Jul 13, 2020 at 11:19:38AM -0300, terceiro at debian.org wrote:
> On Sun, Jul 12, 2020 at 03:11:30PM +0200, Salvatore Bonaccorso wrote:
> > On Sat, Jun 27, 2020 at 09:10:01PM +0200, Salvatore Bonaccorso wrote:
> > > Source: ruby-sanitize
> > > Version: 4.6.6-2
> > > Severity: grave
> > > Tags: security upstream
> > > Justification: user security hole
> > >
> > > Hi,
> > >
> > > The following vulnerability was published for ruby-sanitize.
> > >
> > > CVE-2020-4054[0]:
> > > | In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less
> > > | than 5.2.1, there is a cross-site scripting vulnerability. When HTML
> > > | is sanitized using Sanitize's "relaxed" config, or a custom config
> > > | that allows certain elements, some content in a math or svg element
> > > | may not be sanitized correctly even if math and svg are not in the
> > > | allowlist. You are likely to be vulnerable to this issue if you use
> > > | Sanitize's relaxed config or a custom config that allows one or more
> > > | of the following HTML elements: iframe, math, noembed, noframes,
> > > | noscript, plaintext, script, style, svg, xmp. Using carefully crafted
> > > | input, an attacker may be able to sneak arbitrary HTML through
> > > | Sanitize, potentially resulting in XSS (cross-site scripting) or other
> > > | undesired behavior when that HTML is rendered in a browser. This has
> > > | been fixed in 5.2.1.o
> >
> > Attached ist a preliminary debdiff with the fix, but two prerequisites
> > before "fix: Don't treat :remove_contents as `true` when it's an
> > Array" and "feat: Remove useless filtered element content by default".
> >
> > Antonio, would it be possible to let it go trough your second pair of
> > eyes, with the pre-knolege that I'm not familiar with the package but
> > trying to address the CVE-2020-4054.
> >
> > If those look correct, the plan would be to do 4.6.6-2.1~deb10u1 based
> > on that for buster-security.
>
> Yes, those patches look OK.
>
> Thanks for your work.
Thanks for your review! So propsing to upload the NMU first, and then
later handle the DSA for it based on that version if no negative
reports come in.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list