Bug 23813

Summary: ruby-rack new security issues CVE-2018-16471
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, pterjan, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: ruby-rack-1.6.4-3.mga6.src.rpm CVE:
Status comment:
Attachments: HelloWorld application for ruby-rack

Description David Walser 2018-11-07 11:08:00 CET 
An advisory has been issued on November 5:
https://www.openwall.com/lists/oss-security/2018/11/05/1

The issue is fixed upstream in 2.0.6.
Comment 1 David Walser 2018-11-07 11:09:28 CET 
An advisory has been issued on November 5:
https://www.openwall.com/lists/oss-security/2018/11/05/2

The issue is fixed upstream in 2.0.6 and 1.6.11.

Mageia 6 is also affected (by only this issue).

Whiteboard: (none) => MGA6TOO
Summary: ruby-rack new security issue CVE-2018-16470 => ruby-rack new security issues CVE-2018-1647[01]

Comment 2 Pascal Terjan 2018-11-07 23:49:58 CET 
Cauldron was updated yesterday
Comment 3 David Walser 2018-11-07 23:57:57 CET 
Indeed it was.

Source RPM: ruby-rack-2.0.5-2.mga7.src.rpm => ruby-rack-1.6.4-3.mga6.src.rpm
Summary: ruby-rack new security issues CVE-2018-1647[01] => ruby-rack new security issues CVE-2018-16471
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 4 Pascal Terjan 2018-11-11 18:41:09 CET 
I have uploaded 1.6.11 to 6/core/updates_testing as compared to 1.6.4 we had it has several bugfix releases.
Comment 5 Pascal Terjan 2018-11-11 18:44:07 CET 
Also, I only did minimal testing:

$ cat c.ru 
run Proc.new { |env| ['200', {'Content-Type' => 'text/plain'}, ["Foo\n"]] }

$ rackup c.ru &
[1] 20283
[2018-11-11 17:40:18] INFO  WEBrick 1.4.2
[2018-11-11 17:40:18] INFO  ruby 2.5.3 (2018-10-18) [x86_64-linux]
[2018-11-11 17:40:18] INFO  WEBrick::HTTPServer#start: pid=20283 port=9292

$ GET http://127.0.0.1:9292/
127.0.0.1 - - [11/Nov/2018:17:40:33 +0000] "GET / HTTP/1.1" 200 - 0.0004
Foo
$ fg
rackup c.ru
^C[2018-11-11 17:40:37] INFO  going to shutdown ...
[2018-11-11 17:40:37] INFO  WEBrick::HTTPServer#start done.
Comment 6 David Walser 2018-11-11 19:34:02 CET 
Advisory:
========================

Updated ruby-rack packages fix security vulnerability:

There is a possible XSS vulnerability in Rack.  Carefully crafted requests can
impact the data returned by the `scheme` method on `Rack::Request`.
Applications that expect the scheme to be limited to "http" or "https" and do
not escape the return value could be vulnerable to an XSS attack
(CVE-2018-16471).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16471
https://www.openwall.com/lists/oss-security/2018/11/05/2
========================

Updated packages in core/updates_testing:
========================
ruby-rack-1.6.11-1.mga6
ruby-rack-doc-1.6.11-1.mga6

from ruby-rack-1.6.11-1.mga6.src.rpm

CC: (none) => pterjan
Assignee: pterjan => qa-bugs

Comment 7 Len Lawrence 2018-11-12 21:37:38 CET 
Mageia 6, x86_64

No exploit posted.
Ran Pascal's tests, which echo the examples at https://rack.github.io/
More information at https://thoughtbot.com/upcase/videos/rack.
Install ruby-rdoc (if it is not there already).
Copied the middleware logging example and ran it after installing the 'thin' gem.
Don't how how or if it is bundled with Mageia ruby so went for the gem.
$ sudo gem install thin

Updated ruby rack from testing.

$ cat rackapp.rb 
require 'rack'
 
app = Proc.new do |env|
    ['200', {'Content-Type' => 'text/html'}, ['A barebones rack app.']]
end
 
Rack::Handler::WEBrick.run app

Ran the script:
$ rackup rackapp.rb
[2018-11-12 20:17:48] INFO  WEBrick 1.3.1
[2018-11-12 20:17:48] INFO  ruby 2.2.10 (2018-03-28) [x86_64-linux]
[2018-11-12 20:17:48] INFO  WEBrick::HTTPServer#start: pid=22925 port=8080
localhost - - [12/Nov/2018:20:18:15 GMT] "GET / HTTP/1.1" 200 21

Pointed the browser at localhost:8080/ and saw
"A barebones rack app." on a clean page.

Also tried the other example:
$ cat config.ru
run Proc.new { |env| ['200', {'Content-Type' => 'text/html'}, ["get rack\'d\n"]] }
$ rackup config.ru
Thin web server (v1.7.2 codename Bachmanity)
Maximum connections set to 1024
Listening on localhost:9292, CTRL+C to stop

In another terminal:
$ GET http://127.0.0.1:9292/
get rack'd

Ran the attached script.
$ ruby logging.rb
Thin web server (v1.7.2 codename Bachmanity)
Maximum connections set to 1024
Listening on localhost:8080, CTRL+C to stop

Typed localhost:8080/ in the browser address bar and saw the message:
Hello World
App took 3 seconds.

Hey, it can do HelloWorld!  Must be OK.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 8 Len Lawrence 2018-11-12 21:40:08 CET 
Created attachment 10469 [details]
HelloWorld application for ruby-rack

Open a browser at localhost:8080/ after running it.
Comment 9 Lewis Smith 2018-11-14 19:56:55 CET 
Advisory from comment 6. Validating also.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 10 Mageia Robot 2018-11-15 23:05:40 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0449.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 11 David Walser 2019-08-12 02:01:50 CEST 
Ubuntu advisory from August 7, for reference:
https://usn.ubuntu.com/4089-1/