12387 – ruby-will_paginate new security issue CVE-2013-6459

Bug 12387 - ruby-will_paginate new security issue CVE-2013-6459

Summary: ruby-will_paginate new security issue CVE-2013-6459

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/581552/
Whiteboard:	has_procedure advisory mga3-32-ok mga...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-01-21 20:56 CET by David Walser
Modified:	2014-02-11 23:53 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	ruby-will_paginate-3.0.3-6.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-01-21 20:56:43 CET

Fedora has issued an advisory on January 3:
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/126924.html

The issue is fixed in 3.0.5, and Fedora has patches for this:
http://pkgs.fedoraproject.org/cgit/rubygem-will_paginate.git/commit/?h=f20&id=268414b393f20dfdeffad4e8ffb896fdbc0bbbf3
http://pkgs.fedoraproject.org/cgit/rubygem-will_paginate.git/commit/?h=f20&id=9d30639e43f56bbe9bb61ec0ac2c503cace845db

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2014-01-21 20:57:15 CET

CC: (none) => pterjan
Blocks: (none) => 11726
Whiteboard: (none) => MGA3TOO

Comment 1 Philippe Makowski 2014-01-25 13:22:05 CET

Advisory:
========================

Updated ruby-will_paginate packages fix security vulnerability:
Cross-Site Scripting (XSS) vulnerabilities were found in
will_paginate gem for Ruby, where certain input related to
generated pagination links were not properly sanitised before being
returned. This could be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected
site. (CVE-2013-6459).


References:

https://lists.fedoraproject.org/pipermail/package-announce/2014-January/126924.html
CVE Request:
http://seclists.org/oss-sec/2013/q4/550

Updated packages in core/updates_testing:
========================

ruby-will_paginate-doc-3.0.3-3.1.mga3.noarch.rpm
ruby-will_paginate-3.0.3-3.1.mga3.noarch.rpm

from ruby-will_paginate-3.0.3-3.1.mga3.src.rpm


Freeze push asked for ruby-will_paginate-3.0.5-1.mga4

CC: (none) => makowski.mageia
Assignee: fundawang => qa-bugs

Comment 2 David Walser 2014-01-25 16:30:47 CET

Thanks Philippe!  I'll leave it blocking the tracker until it's pushed in Cauldron.

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 3 David Walser 2014-01-25 17:10:38 CET

I don't see a freeze push request on the mailing list.

Comment 4 David Walser 2014-01-25 20:10:34 CET

ruby-will_paginate-3.0.5-1.mga4 uploaded for Cauldron.

Blocks: 11726 => (none)

Comment 5 claire robinson 2014-02-11 14:53:25 CET

This is really a rails thing so testing will be limited to ensuring it updates cleanly and loads in irb.

Testing complete mga3 32 & 64

$ irb
irb(main):001:0> require 'will_paginate'
=> true

Whiteboard: (none) => has_procedure mga3-32-ok mga3-64-ok

Comment 6 claire robinson 2014-02-11 14:59:09 CET

Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2014-02-11 23:53:06 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0054.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.