[Bug 200979] security/vuxml: document devel/rubygem-paperclip security announcement on spoofing issue

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Jun 20 01:16:57 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200979

            Bug ID: 200979
           Summary: security/vuxml: document devel/rubygem-paperclip
                    security announcement on spoofing issue
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: jason.unovitch at gmail.com
                CC: ports-secteam at FreeBSD.org, ruby at FreeBSD.org
                CC: ports-secteam at FreeBSD.org, ruby at FreeBSD.org

Created attachment 157891
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=157891&action=edit
Document devel/rubygem-papercut security advisory

JVN.jp documents this as CVE-2015-2963

Source: https://robots.thoughtbot.com/paperclip-security-release
"We just released paperclip v4.2.2. This contains only a security patch over
v4.2.1, and everyone is encouraged to upgrade. The commit message explains the
problem and fix:

There is an issue where if an HTML file is uploaded with a .html extension, but
the content type is listed as being image/jpeg, this will bypass a validation
checking for images. But it will also pass the spoof check, because a file
named .html and containing actual HTML passes the spoof check.

This change makes it so that we also check the supplied content type. So even
if the file contains HTML and ends with .html, it doesn’t match the content
type of image/jpeg and so it fails.

This vulnerability was assigned JVN #83881261.

paperclip is a Rubygem that that lets you attach files to ActiveRecord models.

Thanks to Jon Yurek and Mike Burns for their work on this, and special thanks
to MORI Shingo of DeNA Co., Ltd. for reporting the vulnerability."


Validation:
# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh
"/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml"
> "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py
/usr/ports/security/vuxml/vuln.xml

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit rubygem-paperclip-4.2.1
rubygem-paperclip-4.2.1 is vulnerable:
rubygem-paperclip -- Fix a possible security issue with spoofing
CVE: CVE-2015-2963
WWW:
https://vuxml.FreeBSD.org/freebsd/0f154810-16e4-11e5-a1cf-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit rubygem-paperclip-4.2.2
0 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit rubygem-paperclip-4.3.0
0 problem(s) in the installed packages found.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list