| Summary: | ruby-rack new security issue CVE-2020-8184 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, pterjan, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | ruby-rack-2.2.2-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-07-14 22:24:27 CEST
David Walser
2020-07-14 22:24:45 CEST
Status comment:
(none) =>
Fixed upstream in 2.2.3 2.2.3 uploaded to cauldron and 2.0.8-2 uploaded to 7 updates_testing
Here is the test to verify the fix:
Vulnerable:
$ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))'
{"foo"=>"baz"}
Fixed:
$ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))'
{"%66oo"=>"baz", "foo"=>"bar"}
Advisory: ======================== Updated ruby-rack packages fix security vulnerability: A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3 that makes it is possible for an attacker to forge a secure or host-only cookie prefix (CVE-2020-8184). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8184 https://www.debian.org/lts/security/2020/dla-2275 ======================== Updated packages in core/updates_testing: ======================== ruby-rack-2.0.8-2.mga7 ruby-rack-doc-2.0.8-2.mga7 from ruby-rack-2.0.8-2.mga7.src.rpm Assignee:
pterjan =>
qa-bugs mga7, x86_64
CVE-2020-8184
The suggested PoC at HackerOne is concerned with manipulating cookies for devious ends but as I have no experience of web development or anything like RubyOnRails shall give this a miss and use Pascal's one-liner only.
$ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))'
{"foo"=>"baz"}
After update:
$ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))'
{"%66oo"=>"baz", "foo"=>"bar"}
Testing this in the most basic way - hello world again.
See https://rack.github.io/
$ cat lambda.rb
require "rack"
require "thin"
app = ->( env ) { [ 200, {"Content-Type" => "text/plain"}, ["Hello World"] ] }
Rack::Handler::Thin.run app
$ ruby lambda.rb
Thin web server (v1.7.2 codename Bachmanity)
Maximum connections set to 1024
Listening on localhost:8080, CTRL+C to stop
<The browser shows "Hello World" at localhost:8080.>
^CStopping ...
To put it another way:
$ cat rackapp.rb
require 'rack'
app = ->( env ){
['200', {'Content-Type' => 'text/html'}, ['A barebones rack app.']]
}
Rack::Handler::WEBrick.run app
$ ruby rackapp.rb
[2020-07-15 18:07:07] INFO WEBrick 1.4.2
[2020-07-15 18:07:07] INFO ruby 2.5.8 (2020-03-31) [x86_64-linux]
[2020-07-15 18:07:07] INFO WEBrick::HTTPServer#start: pid=30456 port=8080
127.0.0.1 - - [15/Jul/2020:18:07:23 BST] "GET / HTTP/1.1" 200 21
- -> /
<"A barebones rack app" duly appears at localhost:8080>
This one is OK.CC:
(none) =>
tarazed25 Validating. Advisory in Comment 2. Keywords:
(none) =>
validated_update
Dave Hodgins
2020-07-31 10:47:40 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0306.html Resolution:
(none) =>
FIXED |