OpenSuSE has issued an advisory today: http://lists.opensuse.org/opensuse-updates/2013-12/msg00093.html Reproducible: Steps to Reproduce:
Blocks: (none) => 11726Whiteboard: (none) => MGA3TOO
URL: (none) => http://lwn.net/Vulnerabilities/578024/
fixed with ruby-i18n-0.6.1-3.1.mga3 + ruby-i18n-0.6.4-5.mga4. someone will have to submit ruby-i18n-0.6.4-5.mga4 though.
CC: (none) => oe
The patched package has now been uploaded in Cauldron. Thanks Oden! Advisory: ======================== Updated ruby-i18n packages fixes security vulnerability: Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call (CVE-2013-4492). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4492 http://lists.opensuse.org/opensuse-updates/2013-12/msg00093.html ======================== Updated packages in core/updates_testing: ======================== ruby-i18n-0.6.1-3.1.mga3 ruby-i18n-doc-0.6.1-3.1.mga3 from ruby-i18n-0.6.1-3.1.mga3.src.rpm
CC: (none) => fundawangVersion: Cauldron => 3Assignee: fundawang => qa-bugsWhiteboard: MGA3TOO => (none)
Blocks: 11726 => (none)
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Severity: normal => major
Here are the changes rpmdiff shows in the rpms. Apparently, lots of changes in the documentation. The fix itself is in /usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb *** rpmdiff output between ruby-i18n-0.6.1-3.mga3.noarch.rpm and ruby-i18n-0.6.1-3.1.mga3.noarch.rpm *** S.5........ /usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb ..5........ /usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec *** rpmdiff output between ruby-i18n-doc-0.6.1-3.mga3.noarch.rpm and ruby-i18n-doc-0.6.1-3.1.mga3.noarch.rpm *** removed REQUIRES ruby-i18n = 0.6.1-3.mga3 added REQUIRES ruby-i18n = 0.6.1-3.1.mga3 ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Backend.html S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/ExceptionHandler.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Gettext.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/InvalidLocale.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/InvalidLocaleData.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/InvalidPluralizationData.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Locale.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Locale/Tag.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/MissingInterpolationArgument.html S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/MissingTranslation/Base.html S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/ReservedInterpolationKey.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Tests.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/Tests/Localization.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/I18n/UnknownFileType.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/created.rid S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/js/search_index.js S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/rdoc/table_of_contents.html ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Backend/cdesc-Backend.ri ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Gettext/cdesc-Gettext.ri ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Locale/Tag/cdesc-Tag.ri ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Locale/cdesc-Locale.ri S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/MissingTranslation/Base/cdesc-Base.ri added /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/MissingTranslation/Base/titleize-i.ri ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Tests/Localization/cdesc-Localization.ri ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/Tests/cdesc-Tests.ri S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/I18n/cdesc-I18n.ri S.5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/cache.ri ..5........ /usr/share/ruby/gems/doc/i18n-0.6.1/ri/created.rid Diff of the actual fix: diff -ru 1/usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb 2/usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb --- 1/usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb 2013-02-08 17:38:25.000000000 +0100 +++ 2/usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb 2013-12-26 14:28:20.000000000 +0100 @@ -1,3 +1,5 @@ +require 'cgi' + module I18n # Handles exceptions raised in the backend. All exceptions except for # MissingTranslationData exceptions are re-thrown. When a MissingTranslationData @@ -45,8 +47,9 @@ end def html_message - key = keys.last.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize } - %(<span class="translation_missing" title="translation missing: #{keys.join('.')}">#{key}</span>) + key = CGI.escape_html titleize(keys.last) + path = CGI.escape_html keys.join('.') + %(<span class="translation_missing" title="translation missing: #{path}">#{key}</span>) end def keys @@ -63,6 +66,13 @@ def to_exception MissingTranslationData.new(locale, key, options) end + + protected + + # TODO : remove when #html_message is removed + def titleize(key) + key.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize } + end end include Base diff -ru 1/usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec 2/usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec --- 1/usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec 2013-02-08 17:38:25.000000000 +0100 +++ 2/usr/share/ruby/gems/specifications/i18n-0.6.1.gemspec 2013-12-26 14:28:20.000000000 +0100 @@ -12,7 +12,7 @@ s.homepage = "http://github.com/svenfuchs/i18n" s.require_paths = ["lib"] s.rubyforge_project = "[none]" - s.rubygems_version = "1.8.24" + s.rubygems_version = "1.8.27" s.summary = "New wave Internationalization support for Ruby" if s.respond_to? :specification_version then
CC: (none) => stormi
I looked at the diff between the RPMs: the change concerns only exception handling when translations are missing. The only risk of regression is when such an exception is triggered, so testing procedure should be the following (for someone who knows rails ideally): - with the current version in Mageia 3, make it try (and fail) to translate this string: ------------------- <SCRIPT language=javascript> alert("Vulnerable") </SCRIPT> ------------------- If I'm not mistaken, you should see a popup saying "Vulnerable". - Now test with the update candidate: it should not show a popup anymore.
Whiteboard: advisory => advisory has_procedure
Whiteboard: advisory has_procedure => advisory
Testing OK both archs, using a simple ruby script that makes a translation. --- #!/usr/bin/ruby require 'i18n' print I18n::translate('<script language="javascript">alert("vulnerable");</script>') print "\n" --- In fact this script is not ok, but I didn't find how to make it echo HTML output instead of raw text, so in addition to this I had to exchange the message and html_message methods in /usr/share/ruby/gems/gems/i18n-0.6.1/lib/i18n/exceptions.rb, just for testing. Before: $ ./test.rb <span class="translation_missing" title="translation missing: en.<script language="javascript">alert("vulnerable");</script>_html"><Script Language="Javascript">Alert("Vulnerable");</Script> Html</span> => html tags haven't been escaped With the update candidate: $ ./test.rb <span class="translation_missing" title="translation missing: en.<script language="javascript">alert("vulnerable");</script>_html"><Script Language="Javascript">Alert("Vulnerable");</Script> Html</span>
Whiteboard: advisory => advisory has_procedure MGA3-32-OK MGA3-64-OK
Validating. Could sysadmin please push from 3 core/updates_testing to updates thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0017.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED