[DRE-maint] Bug#963808: ruby-sanitize: CVE-2020-4054: HTML sanitization bypass in Sanitize
Salvatore Bonaccorso
carnil at debian.org
Tue Jul 14 20:37:50 BST 2020
Hi Antonio,
On Tue, Jul 14, 2020 at 09:41:21AM -0300, terceiro at debian.org wrote:
> On Mon, Jul 13, 2020 at 10:04:10PM +0200, Salvatore Bonaccorso wrote:
> > Hi Antonio,
> >
> > On Mon, Jul 13, 2020 at 11:19:38AM -0300, terceiro at debian.org wrote:
> > > On Sun, Jul 12, 2020 at 03:11:30PM +0200, Salvatore Bonaccorso wrote:
> > > > On Sat, Jun 27, 2020 at 09:10:01PM +0200, Salvatore Bonaccorso wrote:
> > > > > Source: ruby-sanitize
> > > > > Version: 4.6.6-2
> > > > > Severity: grave
> > > > > Tags: security upstream
> > > > > Justification: user security hole
> > > > >
> > > > > Hi,
> > > > >
> > > > > The following vulnerability was published for ruby-sanitize.
> > > > >
> > > > > CVE-2020-4054[0]:
> > > > > | In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less
> > > > > | than 5.2.1, there is a cross-site scripting vulnerability. When HTML
> > > > > | is sanitized using Sanitize's "relaxed" config, or a custom config
> > > > > | that allows certain elements, some content in a math or svg element
> > > > > | may not be sanitized correctly even if math and svg are not in the
> > > > > | allowlist. You are likely to be vulnerable to this issue if you use
> > > > > | Sanitize's relaxed config or a custom config that allows one or more
> > > > > | of the following HTML elements: iframe, math, noembed, noframes,
> > > > > | noscript, plaintext, script, style, svg, xmp. Using carefully crafted
> > > > > | input, an attacker may be able to sneak arbitrary HTML through
> > > > > | Sanitize, potentially resulting in XSS (cross-site scripting) or other
> > > > > | undesired behavior when that HTML is rendered in a browser. This has
> > > > > | been fixed in 5.2.1.o
> > > >
> > > > Attached ist a preliminary debdiff with the fix, but two prerequisites
> > > > before "fix: Don't treat :remove_contents as `true` when it's an
> > > > Array" and "feat: Remove useless filtered element content by default".
> > > >
> > > > Antonio, would it be possible to let it go trough your second pair of
> > > > eyes, with the pre-knolege that I'm not familiar with the package but
> > > > trying to address the CVE-2020-4054.
> > > >
> > > > If those look correct, the plan would be to do 4.6.6-2.1~deb10u1 based
> > > > on that for buster-security.
> > >
> > > Yes, those patches look OK.
> > >
> > > Thanks for your work.
> >
> > Thanks for your review! So propsing to upload the NMU first, and then
> > later handle the DSA for it based on that version if no negative
> > reports come in.
>
> Sure, just do it.
NMU done (in delayed queue). Will try to have later an eye on the
reports but if you notice something odd just let me know.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list