Bug 12095 - ruby-i18n new security issue CVE-2013-4492
: ruby-i18n new security issue CVE-2013-4492
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/578024/
: advisory has_procedure MGA3-32-OK MGA...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-12-23 16:24 CET by David Walser
Modified: 2014-01-21 17:37 CET (History)
6 users (show)

See Also:
Source RPM: ruby-i18n
CVE:
Status comment:


Attachments

Description David Walser 2013-12-23 16:24:45 CET
OpenSuSE has issued an advisory today:
http://lists.opensuse.org/opensuse-updates/2013-12/msg00093.html

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-12-26 14:32:17 CET
fixed with ruby-i18n-0.6.1-3.1.mga3 + ruby-i18n-0.6.4-5.mga4.

someone will have to submit ruby-i18n-0.6.4-5.mga4 though.
Comment 2 David Walser 2013-12-27 14:24:02 CET
The patched package has now been uploaded in Cauldron.  Thanks Oden!

Advisory:
========================

Updated ruby-i18n packages fixes security vulnerability:

Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem
before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script
or HTML via a crafted I18n::MissingTranslationData.new call (CVE-2013-4492).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4492
http://lists.opensuse.org/opensuse-updates/2013-12/msg00093.html
========================

Updated packages in core/updates_testing:
========================
ruby-i18n-0.6.1-3.1.mga3
ruby-i18n-doc-0.6.1-3.1.mga3

from ruby-i18n-0.6.1-3.1.mga3.src.rpm
Comment 3 Samuel Verschelde 2014-01-17 11:48:54 CET
Here are the changes rpmdiff shows in the rpms. Apparently, lots of changes in the documentation. The fix itself is in /usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb

*** rpmdiff output between ruby-i18n-0.6.1-3.mga3.noarch.rpm and ruby-i18n-0.6.1-3.1.mga3.noarch.rpm ***
S.5........ /usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb
..5........ /usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec

*** rpmdiff output between ruby-i18n-doc-0.6.1-3.mga3.noarch.rpm and ruby-i18n-doc-0.6.1-3.1.mga3.noarch.rpm ***
removed     REQUIRES ruby-i18n = 0.6.1-3.mga3
added       REQUIRES ruby-i18n = 0.6.1-3.1.mga3
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Backend.html
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/ExceptionHandler.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Gettext.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/InvalidLocale.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/InvalidLocaleData.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/InvalidPluralizationData.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Locale.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Locale/Tag.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/MissingInterpolationArgument.html
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/MissingTranslation/Base.html
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/ReservedInterpolationKey.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Tests.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Tests/Localization.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/UnknownFileType.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/created.rid
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/js/search_index.js
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/table_of_contents.html
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Backend/cdesc-Backend.ri
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Gettext/cdesc-Gettext.ri
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Locale/Tag/cdesc-Tag.ri
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Locale/cdesc-Locale.ri
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/MissingTranslation/Base/cdesc-Base.ri
added       /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/MissingTranslation/Base/titleize-i.ri
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Tests/Localization/cdesc-Localization.ri
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Tests/cdesc-Tests.ri
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/cdesc-I18n.ri
S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/cache.ri
..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/created.rid


Diff of the actual fix:

diff -ru 1/usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb 2/usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb
--- 1/usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb        2013-02-08 17:38:25.000000000 +0100
+++ 2/usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb        2013-12-26 14:28:20.000000000 +0100
@@ -1,3 +1,5 @@
+require 'cgi'
+
 module I18n
   # Handles exceptions raised in the backend. All exceptions except for
   # MissingTranslationData exceptions are re-thrown. When a MissingTranslationData
@@ -45,8 +47,9 @@
       end

       def html_message
-        key = keys.last.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize }
-        %(<span class="translation_missing" title="translation missing: #{keys.join('.')}">#{key}</span>)
+        key  = CGI.escape_html titleize(keys.last)
+        path = CGI.escape_html keys.join('.')
+        %(<span class="translation_missing" title="translation missing: #{path}">#{key}</span>)
       end

       def keys
@@ -63,6 +66,13 @@
       def to_exception
         MissingTranslationData.new(locale, key, options)
       end
+
+      protected
+
+      # TODO : remove when #html_message is removed
+      def titleize(key)
+        key.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize }
+      end
     end

     include Base
diff -ru 1/usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec 2/usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec
--- 1/usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec     2013-02-08 17:38:25.000000000 +0100
+++ 2/usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec     2013-12-26 14:28:20.000000000 +0100
@@ -12,7 +12,7 @@
   s.homepage = "http://github.com/svenfuchs/i18n"
   s.require_paths = ["lib"]
   s.rubyforge_project = "[none]"
-  s.rubygems_version = "1.8.24"
+  s.rubygems_version = "1.8.27"
   s.summary = "New wave Internationalization support for Ruby"

   if s.respond_to? :specification_version then
Comment 4 Samuel Verschelde 2014-01-20 10:53:26 CET
I looked at the diff between the RPMs: the change concerns only exception handling when translations are missing. The only risk of regression is when such an exception is triggered, so testing procedure should be the following (for someone who knows rails ideally):

- with the current version in Mageia 3, make it try (and fail) to translate this string: 
-------------------
<SCRIPT language=javascript>
       alert("Vulnerable")
</SCRIPT>
-------------------

If I'm not mistaken, you should see a popup saying "Vulnerable".

- Now test with the update candidate: it should not show a popup anymore.
Comment 5 Samuel Verschelde 2014-01-20 11:40:44 CET
Testing OK both archs, using a simple ruby script that makes a translation.

---
#!/usr/bin/ruby
require 'i18n'

print I18n::translate('<script language="javascript">alert("vulnerable");</script>')
print "\n"
---


In fact this script is not ok, but I didn't find how to make it echo HTML output instead of raw text, so in addition to this I had to exchange the message and html_message methods in /usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb, just for testing.


Before:
$ ./test.rb 
<span class="translation_missing" title="translation missing: en.<script language="javascript">alert("vulnerable");</script>_html"><Script Language="Javascript">Alert("Vulnerable");</Script> Html</span>

=> html tags haven't been escaped

With the update candidate:
$ ./test.rb 
<span class="translation_missing" title="translation missing: en.&lt;script language=&quot;javascript&quot;&gt;alert(&quot;vulnerable&quot;);&lt;/script&gt;_html">&lt;Script Language=&quot;Javascript&quot;&gt;Alert(&quot;Vulnerable&quot;);&lt;/Script&gt; Html</span>
Comment 6 claire robinson 2014-01-20 13:30:38 CET
Validating.

Could sysadmin please push from 3 core/updates_testing to updates

thanks
Comment 7 Thomas Backlund 2014-01-21 17:37:52 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0017.html

Note You need to log in before you can comment on or make changes to this bug.