[SECURITY] [DLA 3565-1] ruby-loofah security update

Debian LTS Advisory DLA-3565-1 [email protected]
https://www.debian.org/lts/security/ Sylvain Beucler
September 13, 2023 https://wiki.debian.org/LTS

Package : ruby-loofah
Version : 2.2.3-1+deb10u2
CVE ID : CVE-2022-23514 CVE-2022-23515 CVE-2022-23516
Debian Bug : 1026083

Multiple vulnerabilities were discovered in Loofah, a Ruby library for
HTML/XML transformation and sanitization. An attacker could launch
cross-site scripting (XSS) and denial-of-service (DoS) attacks through
crafted HTML/XML documents.

CVE-2022-23514

Inefficient regular expression that is susceptible to excessive
backtracking when attempting to sanitize certain SVG
attributes. This may lead to a denial of service through CPU
resource consumption.

CVE-2022-23515

Cross-site scripting via the image/svg+xml media type in data
URIs.

CVE-2022-23516

Loofah uses recursion for sanitizing CDATA sections, making it
susceptible to stack exhaustion and raising a SystemStackError
exception. This may lead to a denial of service through CPU
resource consumption.

For Debian 10 buster, these problems have been fixed in version
2.2.3-1+deb10u2.

We recommend that you upgrade your ruby-loofah packages.

For the detailed security status of ruby-loofah please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-loofah

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS