Re: RFC: ruby-loofah 2.2.3-1+deb10u2
Hey Utkarsh, Am Freitag, dem 17.03.2023 um 01:23 +0100 schrieb Daniel Leidert: > Am Freitag, dem 17.03.2023 um 04:58 +0530 schrieb Utkarsh Gupta: [..] > > > I could do a thorough review of your patches if you'd like? > > Sure, please do so. Any news about this? Regards, Daniel
Re: RFC: ruby-loofah 2.2.3-1+deb10u2
Am Freitag, dem 17.03.2023 um 04:58 +0530 schrieb Utkarsh Gupta: > On Thu, Mar 16, 2023 at 7:06 PM Utkarsh Gupta > wrote: > > Please hold off on the update for a while. I have something to add wrt > > ruby-rails-html-sanitizer. I just haven't had the time to write it > > down, I'll get back in another ~7h. > > In order to fix the CVEs of ruby-rails-html-sanitizer (also in > dla-needed), we need to ensure that the newer methods that the library > uses from newer loofah are backported. Some of these methods would've > been backported by you already (as a part of fixing the CVEs in > ruby-loofah) and there might be some remaining. Well, in short here is what has changed in loofah: - CVE-2022-23514: just programmatical change; shouldn't affect anybody - CVE-2022-23515: data:svg+xml no longer allowed - CVE-2022-23516: there is a behavioral change (see the thread) - that needs probably the most care I'm not quite sure how much code duplication there actually is, or if the issues are fixed by fixing loofah. I would have looked myself, but I haven't been assigned any official hours yet :) > I could do a thorough review of your patches if you'd like? Sure, please do so. > (let me > know) and make sure that we have everything that we might need for > ruby-rails-html-sanitizer, too. I also propose that we release the two > around the same time (after > smoke-testing, ensuring that the two work well with each other). So far it still builds and tests successfully. Please let me know if you see any issues. > I > suppose everyone using rails-html-sanitizer should be using loofah, > too, so it's important we fix both and test them well. :) I agree. Please let me know of your results. Regards, Daniel
Re: RFC: ruby-loofah 2.2.3-1+deb10u2
Hi Daniel, On Thu, Mar 16, 2023 at 7:06 PM Utkarsh Gupta wrote: > Please hold off on the update for a while. I have something to add wrt > ruby-rails-html-sanitizer. I just haven't had the time to write it > down, I'll get back in another ~7h. In order to fix the CVEs of ruby-rails-html-sanitizer (also in dla-needed), we need to ensure that the newer methods that the library uses from newer loofah are backported. Some of these methods would've been backported by you already (as a part of fixing the CVEs in ruby-loofah) and there might be some remaining. I could do a thorough review of your patches if you'd like? (let me know) and make sure that we have everything that we might need for ruby-rails-html-sanitizer, too. I also propose that we release the two around the same time (after smoke-testing, ensuring that the two work well with each other). I suppose everyone using rails-html-sanitizer should be using loofah, too, so it's important we fix both and test them well. :) - u
Re: RFC: ruby-loofah 2.2.3-1+deb10u2
Hi Daniel, On Thu, Mar 16, 2023 at 3:01 AM Daniel Leidert wrote: > I'll wait another day for feedback and then go ahead with the upload. Please hold off on the update for a while. I have something to add wrt ruby-rails-html-sanitizer. I just haven't had the time to write it down, I'll get back in another ~7h. - u
Re: RFC: ruby-loofah 2.2.3-1+deb10u2
Am Mittwoch, dem 15.03.2023 um 12:34 +0100 schrieb Emilio Pozuelo Monfort: [..] > > > > What do you think? I wonder if that is an acceptable change? > > Without looking in detail, my question would be: > > Is the output change likely to cause issues to loofah users? If not, then > keep > the patch. I don't think it will cause issues. I rebuilt ruby-rails-html- sanitizer, the only package depending on ruby-loofah, and the test suite still runs without issues. I'll wait another day for feedback and then go ahead with the upload. Regards, Daniel
Re: RFC: ruby-loofah 2.2.3-1+deb10u2
Hi Daniel, On 13/03/2023 23:18, Daniel Leidert wrote: Hi there, I prepared my first LTS update. You can find it here: https://salsa.debian.org/lts-team/packages/ruby-loofah When I ran some test cases to see if all the vulnerabilities are fixed, I discovered that there is a slight behavioral change: As part of the fix for CVE-2022-23516, loofah will no longer remove nested sections, but escape the tags instead. They also adjusted their tests for that. To demonstrate: This: