[DRE-maint] Bug#963808: ruby-sanitize: CVE-2020-4054: HTML sanitization bypass in Sanitize
terceiro at debian.org
terceiro at debian.org
Tue Jul 14 13:41:21 BST 2020
On Mon, Jul 13, 2020 at 10:04:10PM +0200, Salvatore Bonaccorso wrote:
> Hi Antonio,
>
> On Mon, Jul 13, 2020 at 11:19:38AM -0300, terceiro at debian.org wrote:
> > On Sun, Jul 12, 2020 at 03:11:30PM +0200, Salvatore Bonaccorso wrote:
> > > On Sat, Jun 27, 2020 at 09:10:01PM +0200, Salvatore Bonaccorso wrote:
> > > > Source: ruby-sanitize
> > > > Version: 4.6.6-2
> > > > Severity: grave
> > > > Tags: security upstream
> > > > Justification: user security hole
> > > >
> > > > Hi,
> > > >
> > > > The following vulnerability was published for ruby-sanitize.
> > > >
> > > > CVE-2020-4054[0]:
> > > > | In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less
> > > > | than 5.2.1, there is a cross-site scripting vulnerability. When HTML
> > > > | is sanitized using Sanitize's "relaxed" config, or a custom config
> > > > | that allows certain elements, some content in a math or svg element
> > > > | may not be sanitized correctly even if math and svg are not in the
> > > > | allowlist. You are likely to be vulnerable to this issue if you use
> > > > | Sanitize's relaxed config or a custom config that allows one or more
> > > > | of the following HTML elements: iframe, math, noembed, noframes,
> > > > | noscript, plaintext, script, style, svg, xmp. Using carefully crafted
> > > > | input, an attacker may be able to sneak arbitrary HTML through
> > > > | Sanitize, potentially resulting in XSS (cross-site scripting) or other
> > > > | undesired behavior when that HTML is rendered in a browser. This has
> > > > | been fixed in 5.2.1.o
> > >
> > > Attached ist a preliminary debdiff with the fix, but two prerequisites
> > > before "fix: Don't treat :remove_contents as `true` when it's an
> > > Array" and "feat: Remove useless filtered element content by default".
> > >
> > > Antonio, would it be possible to let it go trough your second pair of
> > > eyes, with the pre-knolege that I'm not familiar with the package but
> > > trying to address the CVE-2020-4054.
> > >
> > > If those look correct, the plan would be to do 4.6.6-2.1~deb10u1 based
> > > on that for buster-security.
> >
> > Yes, those patches look OK.
> >
> > Thanks for your work.
>
> Thanks for your review! So propsing to upload the NMU first, and then
> later handle the DSA for it based on that version if no negative
> reports come in.
Sure, just do it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20200714/b8e5c0a7/attachment.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list