| Summary: | ruby-rack-ssl new security issue CVE-2014-2538 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | fundawang, mageia, pterjan, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/592806/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok | ||
| Source RPM: | ruby-rack-ssl-1.3.3-3.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-04-02 19:08:59 CEST
David Walser
2014-04-02 19:09:13 CEST
CC:
(none) =>
fundawang 1.4.0 submitted to cauldron, will prepare updates.
David Walser
2014-04-02 20:44:40 CEST
Version:
Cauldron =>
4 Crafted some patch based on upstream commits and submitted them to updates_testing ruby-rack-ssl-1.3.2-3.1.mga3.src.rpm ruby-rack-ssl-1.3.2-3.1.mga3.noarch.rpm ruby-rack-ssl-doc-1.3.2-3.1.mga3.noarch.rpm ruby-rack-ssl-1.3.3-3.1.mga4.src.rpm ruby-rack-ssl-1.3.3-3.1.mga4.noarch.rpm ruby-rack-ssl-doc-1.3.3-3.1.mga4.noarch.rpm No idea how to use/test it :( Thanks Pascal!
All I know is it's required by redmine and mageia-maintainers-database.
As for the issue itself, the upstream commits added a test for it as well, but Pascal didn't include that in the patch, and our package doesn't run make check. The code for the test is:
def test_invalid_uri_returns_400
ssl = Rack::SSL.new(nil)
resp = ssl.call('PATH_INFO' => "https://example.org/path/<script>")
assert_equal 400, resp[0]
end
So I guess if you could get a ruby script to run that code, if it didn't throw an assertion error it should be good.
Advisory:
========================
Updated ruby-rack-ssl packages fix security vulnerabilities:
Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl
gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web
script or HTML via a URI, which might not be properly handled by third-party
adapters such as JRuby-Rack (CVE-2014-2538).
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2538
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130990.htmlCC:
(none) =>
pterjan Yes tests are not distributed...
It seems Fedora creates a rack-ssl-1.3.2-tests.tgz from git and includes it in the package.
resp = ssl.call('PATH_INFO' => "https://example.org/path/<script>")
Doesn't seem to work at all, I'll try to come with some code.
Old version:
$ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})"/usr/share/ruby/uri/common.rb:176:in `split': bad URI(is not URI?): http://a:0/path/<script> (URI::InvalidURIError)
from /usr/share/ruby/uri/common.rb:211:in `parse'
from /usr/share/ruby/uri/common.rb:747:in `parse'
from /usr/share/ruby/uri/common.rb:996:in `URI'
from /usr/share/ruby/gems/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https'
from /usr/share/ruby/gems/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call'
from -e:1:in `<main>'
With the update:
$ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})"
[400, {"Content-Type"=>"text/plain"}, []]
1.4.1 in Cauldron however doesn't seem right, I'll look into it but this is not a problem for the update:
$ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})"
[307, {"Content-Type"=>"text/html", "Location"=>"https://a/path/<script>"}, []]
Testing mga3 32
It gives the same output before and after the update.
Before
------
$ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})"
/usr/share/ruby/uri/common.rb:176:in `split': bad URI(is not URI?): http://a:0/path/<script> (URI::InvalidURIError)
from /usr/share/ruby/uri/common.rb:211:in `parse'
from /usr/share/ruby/uri/common.rb:747:in `parse'
from /usr/share/ruby/uri/common.rb:994:in `URI'
from /home/claire/.gem/ruby/1.9.1/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https'
from /home/claire/.gem/ruby/1.9.1/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call'
from -e:1:in `<main>'
After
-----
$ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})"
/usr/share/ruby/uri/common.rb:176:in `split': bad URI(is not URI?): http://a:0/path/<script> (URI::InvalidURIError)
from /usr/share/ruby/uri/common.rb:211:in `parse'
from /usr/share/ruby/uri/common.rb:747:in `parse'
from /usr/share/ruby/uri/common.rb:994:in `URI'
from /home/claire/.gem/ruby/1.9.1/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https'
from /home/claire/.gem/ruby/1.9.1/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call'
from -e:1:in `<main>'
Hmm, I only tested installing the update for 4 on a cauldron and it was fine :( I'll try tonight to install a 3 chroot or vm but my internet is quite slow so not sure I will be able to do it today. Testing complete mga4 64 Seems OK, at least matches your output in comment 5. Before ------ $ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})" /usr/share/ruby/uri/common.rb:176:in `split': bad URI(is not URI?): http://a:0/path/<script> (URI::InvalidURIError) from /usr/share/ruby/uri/common.rb:211:in `parse' from /usr/share/ruby/uri/common.rb:747:in `parse' from /usr/share/ruby/uri/common.rb:994:in `URI' from /usr/share/ruby/gems/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https' from /usr/share/ruby/gems/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call' from -e:1:in `<main>' After ----- $ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})" [400, {"Content-Type"=>"text/plain"}, []] Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure mga4-64-ok Testing complete mga4 32 So just mga3 showing issues. Whiteboard:
MGA3TOO has_procedure mga4-64-ok =>
MGA3TOO has_procedure mga4-32-ok mga4-64-ok Testing complete mga3 64 & mga3 32
Found the problem on mga3 32. It was looking in ~/.gem rather than /usr/share/ruby so I deleted ~/.gem and it worked ok. Maybe some leftover ruby stuff from previous testing.
Before
------
$ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})"
/usr/share/ruby/uri/common.rb:176:in `split': bad URI(is not URI?): http://a:0/path/<script> (URI::InvalidURIError)
from /usr/share/ruby/uri/common.rb:211:in `parse'
from /usr/share/ruby/uri/common.rb:747:in `parse'
from /usr/share/ruby/uri/common.rb:994:in `URI'
from /usr/share/ruby/gems/gems/rack-ssl-1.3.2/lib/rack/ssl.rb:50:in `redirect_to_https'
from /usr/share/ruby/gems/gems/rack-ssl-1.3.2/lib/rack/ssl.rb:32:in `call'
from -e:1:in `<main>'
After
-----
$ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})"
[400, {"Content-Type"=>"text/plain"}, []]Whiteboard:
MGA3TOO has_procedure mga4-32-ok mga4-64-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok Thanks for the procedure Pascal. Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update http://advisories.mageia.org/MGASA-2014-0156.html Status:
NEW =>
RESOLVED |