Bug 12095

fixed with ruby-i18n-0.6.1-3.1.mga3 + ruby-i18n-0.6.4-5.mga4.

someone will have to submit ruby-i18n-0.6.4-5.mga4 though.

CC: (none) => oe

The patched package has now been uploaded in Cauldron.  Thanks Oden!

Advisory:
========================

Updated ruby-i18n packages fixes security vulnerability:

Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem
before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script
or HTML via a crafted I18n::MissingTranslationData.new call (CVE-2013-4492).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4492
http://lists.opensuse.org/opensuse-updates/2013-12/msg00093.html
========================

Updated packages in core/updates_testing:
========================
ruby-i18n-0.6.1-3.1.mga3
ruby-i18n-doc-0.6.1-3.1.mga3

from ruby-i18n-0.6.1-3.1.mga3.src.rpm

CC: (none) => fundawang
Version: Cauldron => 3
Assignee: fundawang => qa-bugs
Whiteboard: MGA3TOO => (none)

Here are the changes rpmdiff shows in the rpms. Apparently, lots of changes in the documentation. The fix itself is in /usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb

*** rpmdiff output between ruby-i18n-0.6.1-3.mga3.noarch.rpm and ruby-i18n-0.6.1-3.1.mga3.noarch.rpm ***
S.5........ /usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb
..5........ /usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec

*** rpmdiff output between ruby-i18n-doc-0.6.1-3.mga3.noarch.rpm and ruby-i18n-doc-0.6.1-3.1.mga3.noarch.rpm ***
removed     REQUIRES ruby-i18n = 0.6.1-3.mga3
added       REQUIRES ruby-i18n = 0.6.1-3.1.mga3
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Backend.html
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/ExceptionHandler.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Gettext.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/InvalidLocale.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/InvalidLocaleData.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/InvalidPluralizationData.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Locale.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Locale/Tag.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/MissingInterpolationArgument.html
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/MissingTranslation/Base.html
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/ReservedInterpolationKey.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Tests.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Tests/Localization.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/UnknownFileType.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/created.rid
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/js/search_index.js
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/table_of_contents.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Backend/cdesc-Backend.ri
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Gettext/cdesc-Gettext.ri
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Locale/Tag/cdesc-Tag.ri
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Locale/cdesc-Locale.ri
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/MissingTranslation/Base/cdesc-Base.ri
added       /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/MissingTranslation/Base/titleize-i.ri
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Tests/Localization/cdesc-Localization.ri
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Tests/cdesc-Tests.ri
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/cdesc-I18n.ri
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/cache.ri
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/created.rid


Diff of the actual fix:

diff -ru 1/usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb 2/usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb
--- 1/usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb        2013-02-08 17:38:25.000000000 +0100
+++ 2/usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb        2013-12-26 14:28:20.000000000 +0100
@@ -1,3 +1,5 @@
+require 'cgi'
+
 module I18n
   # Handles exceptions raised in the backend. All exceptions except for
   # MissingTranslationData exceptions are re-thrown. When a MissingTranslationData
@@ -45,8 +47,9 @@
       end

       def html_message
-        key = keys.last.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize }
-        %(<span class="translation_missing" title="translation missing: #{keys.join('.')}">#{key}</span>)
+        key  = CGI.escape_html titleize(keys.last)
+        path = CGI.escape_html keys.join('.')
+        %(<span class="translation_missing" title="translation missing: #{path}">#{key}</span>)
       end

       def keys
@@ -63,6 +66,13 @@
       def to_exception
         MissingTranslationData.new(locale, key, options)
       end
+
+      protected
+
+      # TODO : remove when #html_message is removed
+      def titleize(key)
+        key.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize }
+      end
     end

     include Base
diff -ru 1/usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec 2/usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec
--- 1/usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec     2013-02-08 17:38:25.000000000 +0100
+++ 2/usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec     2013-12-26 14:28:20.000000000 +0100
@@ -12,7 +12,7 @@
   s.homepage = "http://github.com/svenfuchs/i18n"
   s.require_paths = ["lib"]
   s.rubyforge_project = "[none]"
-  s.rubygems_version = "1.8.24"
+  s.rubygems_version = "1.8.27"
   s.summary = "New wave Internationalization support for Ruby"

   if s.respond_to? :specification_version then

CC: (none) => stormi

I looked at the diff between the RPMs: the change concerns only exception handling when translations are missing. The only risk of regression is when such an exception is triggered, so testing procedure should be the following (for someone who knows rails ideally):

- with the current version in Mageia 3, make it try (and fail) to translate this string: 
-------------------
<SCRIPT language=javascript>
       alert("Vulnerable")
</SCRIPT>
-------------------

If I'm not mistaken, you should see a popup saying "Vulnerable".

- Now test with the update candidate: it should not show a popup anymore.

Whiteboard: advisory => advisory has_procedure

Testing OK both archs, using a simple ruby script that makes a translation.

---
#!/usr/bin/ruby
require 'i18n'

print I18n::translate('<script language="javascript">alert("vulnerable");</script>')
print "\n"
---


In fact this script is not ok, but I didn't find how to make it echo HTML output instead of raw text, so in addition to this I had to exchange the message and html_message methods in /usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb, just for testing.


Before:
$ ./test.rb 
<span class="translation_missing" title="translation missing: en.<script language="javascript">alert("vulnerable");</script>_html"><Script Language="Javascript">Alert("Vulnerable");</Script> Html</span>

=> html tags haven't been escaped

With the update candidate:
$ ./test.rb 
<span class="translation_missing" title="translation missing: en.&lt;script language=&quot;javascript&quot;&gt;alert(&quot;vulnerable&quot;);&lt;/script&gt;_html">&lt;Script Language=&quot;Javascript&quot;&gt;Alert(&quot;Vulnerable&quot;);&lt;/Script&gt; Html</span>

Whiteboard: advisory => advisory has_procedure MGA3-32-OK MGA3-64-OK

Validating.

Could sysadmin please push from 3 core/updates_testing to updates

thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Update pushed:
http://advisories.mageia.org/MGASA-2014-0017.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED