Bug#954714: marked as done (buster-pu: package rails/2:5.2.2.1+dfsg-1+deb10u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id 
<fd7fa4d56896c35aab49a5a51cb69727dc60e87a.ca...@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #954714,
regarding buster-pu: package rails/2:5.2.2.1+dfsg-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
954714: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954714
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

Hiya,

rails seemed to be affected by CVE-2020-5267.
This has been fixed in Sid and Jessie already.

Here's the debdiff:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------

diff -Nru rails-5.2.2.1+dfsg/debian/changelog
rails-5.2.2.1+dfsg/debian/changelog
--- rails-5.2.2.1+dfsg/debian/changelog    2019-03-17 17:44:07.000000000 +0530
+++ rails-5.2.2.1+dfsg/debian/changelog    2020-03-22 18:47:31.000000000 +0530
@@ -1,3 +1,11 @@
+rails (2:5.2.2.1+dfsg-1+deb10u1) buster; urgency=high
+
+  * Team upload.
+  * Add patch to fix possible XSS vector in JS escape helper.
+    (Fixes: CVE-2020-5267) (Closes: #954304)
+
+ -- Utkarsh Gupta <utka...@debian.org>  Sun, 22 Mar 2020 18:47:31 +0530
+
 rails (2:5.2.2.1+dfsg-1) unstable; urgency=medium

   * Team upload
diff -Nru rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
--- rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
1970-01-01 05:30:00.000000000 +0530
+++ rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
2020-03-22 18:47:04.000000000 +0530
@@ -0,0 +1,48 @@
+Description: Fix possible XSS vector in JS escape helper
+ This commit escapes dollar signs and backticks to prevent
+ JS XSS issues when using the `j` or `javascript_escape` helper
+Author: Aaron Patterson <aaron.patter...@gmail.com>
+Author: Utkarsh Gupta <utka...@debian.org>
+Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1
+Bug-Debian: https://bugs.debian.org/954304
+Last-Update: 2020-03-19
+
+--- a/actionview/lib/action_view/helpers/javascript_helper.rb
++++ b/actionview/lib/action_view/helpers/javascript_helper.rb
+@@ -12,7 +12,9 @@
+         "\n"    => '\n',
+         "\r"    => '\n',
+         '"'     => '\\"',
+-        "'"     => "\\'"
++        "'"     => "\\'",
++        "`"     => "\\`",
++        "$"     => "\\$"
+       }
+
+       
JS_ESCAPE_MAP["\342\200\250".dup.force_encoding(Encoding::UTF_8).encode!]
= "&#x2028;"
+@@ -26,7 +28,7 @@
+       #   $('some_element').replaceWith('<%= j render
'some/element_template' %>');
+       def escape_javascript(javascript)
+         if javascript
+-          result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) {
|match| JS_ESCAPE_MAP[match] }
++          result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u,
JS_ESCAPE_MAP)
+           javascript.html_safe? ? result.html_safe : result
+         else
+           ""
+--- a/actionview/test/template/javascript_helper_test.rb
++++ b/actionview/test/template/javascript_helper_test.rb
+@@ -32,6 +32,14 @@
+     assert_equal %(dont <\\/close> tags), j(%(dont </close> tags))
+   end
+
++  def test_escape_backtick
++    assert_equal "\\`", escape_javascript("`")
++  end
++
++  def test_escape_dollar_sign
++    assert_equal "\\$", escape_javascript("$")
++  end
++
+   def test_escape_javascript_with_safebuffer
+     given = %('quoted' "double-quoted" new-line:\n </closed>)
+     expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
diff -Nru rails-5.2.2.1+dfsg/debian/patches/series
rails-5.2.2.1+dfsg/debian/patches/series
--- rails-5.2.2.1+dfsg/debian/patches/series    2019-03-17
17:44:07.000000000 +0530
+++ rails-5.2.2.1+dfsg/debian/patches/series    2020-03-22
18:46:39.000000000 +0530
@@ -1,2 +1,3 @@
 0001-Be-careful-with-that-bundler.patch
 0002-disable-uglify-in-activestorage-rollup-config-js.patch
+CVE-2020-5267.patch

8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.4

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---