darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.

This update fixes one security issue in multiple rubygem packages for Red Hat OpenShift Enterprise 1.1.3.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

It was found that documentation created by RDoc was vulnerable to a cross-site scripting (XSS) attack. If such documentation was accessible over a network, and a remote attacker could trick a user into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's session. As RDoc is used for creating documentation for Ruby source files (such as classes, modules, and so on), it is not a common scenario to make such documentation accessible over the network. (CVE-2013-0256)

This update provides a number of updated rubygem packages that have had their documentation regenerated with a corrected version of RDoc.

Red Hat would like to thank Eric Hodel of RDoc upstream for reporting this issue. Upstream acknowledges Evgeny Ermakov as the original reporter.

Users of Red Hat OpenShift Enterprise 1.1.3 are advised to upgrade to these updated packages, which correct this issue.

Updated ruby193-ruby, rubygem-json and rubygem-rdoc packages that fix two security issues are now available for Red Hat OpenShift Enterprise 1.1.3.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

A flaw in rubygem-json and ruby193-rubygem-json allowed remote attacks by creating different types of malicious objects. For example, it could initiate a denial of service attack through resource consumption by using a JSON document to create arbitrary Ruby symbols, which were never garbage collected. It could also be exploited to create internal objects which could allow a SQL injection attack. (CVE-2013-0269)

It was found that documentation created by rubygem-rdoc and ruby193-rubygem-rdoc was vulnerable to a cross-site scripting (XSS) attack. If such documentation was accessible over a network, and a remote attacker could trick a user into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's session. As rubygem-rdoc and ruby193-rubygem-rdoc are used for creating documentation for Ruby source files (such as classes, modules, and so on), it is not a common scenario to make such documentation accessible over the network. (CVE-2013-0256)

Red Hat would like to thank Ruby on Rails upstream for reporting CVE-2013-0269, and Eric Hodel of RDoc upstream for reporting CVE-2013-0256. Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the original reporters of CVE-2013-0269, and Evgeny Ermakov as the original reporter of CVE-2013-0256.

Users of Red Hat OpenShift Enterprise 1.1.3 are advised to upgrade to these updated packages, which correct these issues.

CVE-2011-0188 The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an 'integer truncation issue.'

CVE-2011-2705 use upstream SVN r32050 to modify PRNG state to prevent random number sequence repeatation at forked child process which has same pid. Reported by Eric Wong.

CVE-2012-4522 The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path.

CVE-2013-0256 darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.

CVE-2013-2065 (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.

CVE-2015-1855 OpenSSL extension hostname matching implementation violates RFC 6125

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ruby19 was updated to fix various bugs and security issues: Update to 1.9.3 p385 (bnc#802406)

  - XSS exploit of RDoc documentation generated by rdoc     (CVE-2013-0256)

  - for other changes see     /usr/share/doc/packages/ruby19/Changelog

Update to 1.9.3 p327 (bnc#789983)

  - CVE-2012-5371 and plenty of other fixes

Update to 1.9.3 p286 (bnc#783511, bnc#791199)

  - This release includes some security fixes, and many     other bug fixes. $SAFE escaping vulnerability about     Exception#to_s / NameError#to_s (CVE-2012-4464,     CVE-2012-4466)

  - Unintentional file creation caused by inserting an     illegal NUL character many other bug fixes.
    (CVE-2012-4522) Also following bugfixes and packaging     fixes were done :

  - make sure the rdoc output is more stable for     build-compare (new patch ruby-sort-rdoc-output.patch)

  - readd the private header *atomic.h

  - remove build depencency on ca certificates - only     causing cycles

  - one more header needed for rubygem-ruby-debug-base19

  - install vm_core.h and its dependencies as     ruby-devel-extra

  - move the provides to the ruby package instead

  - add provides for the internal gems

  - restore the old ruby macros and the gem wrapper script

  - gem_install_wrapper no longer necessary

rubgem rdoc was updated to fix a security issue :

CVE-2013-0256: rubygem-rdoc: XSS exploit of RDoc documentation generated by rdoc

  - Ensured that rd parser files are generated before     checking the manifest.

Patch cross site scripting vulnerability CVE-2013-0256 (rhbz#908358).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jean-Philippe Aumasson discovered that Ruby incorrectly generated predictable hash values. An attacker could use this issue to generate hash collisions and cause a denial of service. (CVE-2012-5371)

Evgeny Ermakov discovered that documentation generated by rdoc is vulnerable to a cross-site scripting issue. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain.
(CVE-2013-0256)

Thomas Hollstegge and Ben Murphy discovered that the JSON implementation in Ruby incorrectly handled certain crafted documents.
An attacker could use this issue to cause a denial of service or bypass certain protection mechanisms. (CVE-2013-0269).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ruby developers report :

RDoc documentation generated by rdoc bundled with ruby are vulnerable to an XSS exploit. All ruby users are recommended to update ruby to newer version which includes security-fixed RDoc. If you are publishing RDoc documentation generated by rdoc, you are recommended to apply a patch for the documentaion or re-generate it with security-fixed RDoc.

ID	Name	Product	Family	Severity
119438	RHEL 6 : rubygem packages (RHSA-2013:0728)	Nessus	Red Hat Local Security Checks	medium
119437	RHEL 6 : ruby193-ruby, rubygem-json and rubygem-rdoc (RHSA-2013:0701)	Nessus	Red Hat Local Security Checks	high
83907	Debian DLA-235-1 : ruby1.9.1 security update	Nessus	Debian Local Security Checks	medium
74909	openSUSE Security Update : ruby19 (openSUSE-SU-2013:0376-1)	Nessus	SuSE Local Security Checks	medium
74894	openSUSE Security Update : rubygem-rdoc (openSUSE-SU-2013:0303-1)	Nessus	SuSE Local Security Checks	medium
66338	Fedora 17 : rubygem-rdoc-3.12-5.fc17 (2013-2143)	Nessus	Fedora Local Security Checks	medium
66337	Fedora 18 : rubygem-rdoc-3.12-6.fc18 (2013-2131)	Nessus	Fedora Local Security Checks	medium
64799	Ubuntu 12.04 LTS / 12.10 : ruby1.9.1 vulnerabilities (USN-1733-1)	Nessus	Ubuntu Local Security Checks	high
64646	FreeBSD : Ruby -- XSS exploit of RDoc documentation generated by rdoc (d3e96508-056b-4259-88ad-50dc8d1978a6)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2013-0256

medium

Tenable Plugins

medium

high

medium

medium

medium

medium

medium

high

medium