Ubuntu
ruby-actionpack-2.3 package

CVE-2012-1099: Cross-site scripting (XSS) vulnerability

Bug #1030984 reported by Felix Geyer on 2012-07-30

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ruby-actionpack-2.3 (Ubuntu)	Invalid	Undecided	Unassigned
	Oneiric	Fix Released	Undecided	Unassigned
	Precise	Fix Released	Undecided	Unassigned

Bug Description

Cross-site scripting (XSS) vulnerability in
actionpack/lib/action_view/helpers/form_options_helper.rb in the select
helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x
before 3.2.2 allows remote attackers to inject arbitrary web script or HTML
via vectors involving certain generation of OPTION elements within SELECT
elements.

Related branches

lp:ubuntu/oneiric-security/ruby-actionpack-2.3

lp:ubuntu/precise-security/ruby-actionpack-2.3

CVE References

2012-1099

Revision history for this message

Felix Geyer (debfx) wrote on 2012-07-30:

#1

precise-security debdiff Edit (5.0 KiB, text/plain)

I'm attaching debdiffs for oneiric and precise.
I think the code lives in the rails package in natty and earlier releases.

Revision history for this message

Felix Geyer (debfx) wrote on 2012-07-30:

#2

oneiric-security debdiff Edit (5.0 KiB, text/plain)

Changed in ruby-actionpack-2.3 (Ubuntu):
status:	New → Incomplete
status:	Incomplete → Invalid

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2012-08-03:

#3

Thanks, Felix! The debdiff's look good. I added Description and Origin patch tags, but that's obviously minor.

I'll get these built and released soon.

Changed in ruby-actionpack-2.3 (Ubuntu Oneiric):
status:	New → Confirmed
Changed in ruby-actionpack-2.3 (Ubuntu Precise):
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-08-03:

#4

This bug was fixed in the package ruby-actionpack-2.3 - 2.3.14-2ubuntu0.12.04.1

---------------
ruby-actionpack-2.3 (2.3.14-2ubuntu0.12.04.1) precise-security; urgency=low

  * SECURITY UPDATE: Cross-site scripting vulnerability (LP: #1030984)
    - debian/patches/CVE-2012-1099.patch: patch from Debian
    - CVE-2012-1099
-- Felix Geyer <email address hidden> Mon, 30 Jul 2012 19:40:28 +0200

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-08-03:

#5

This bug was fixed in the package ruby-actionpack-2.3 - 2.3.14-2ubuntu0.11.10.1

---------------
ruby-actionpack-2.3 (2.3.14-2ubuntu0.11.10.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Cross-site scripting vulnerability (LP: #1030984)
    - debian/patches/CVE-2012-1099.patch: patch from Debian
    - CVE-2012-1099
-- Felix Geyer <email address hidden> Mon, 30 Jul 2012 19:40:28 +0200

Changed in ruby-actionpack-2.3 (Ubuntu Oneiric):
status:	Confirmed → Fix Released
Changed in ruby-actionpack-2.3 (Ubuntu Precise):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.