| Summary: | ruby-addressable new security issue CVE-2021-32740 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, pterjan, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | ruby-addressable-2.7.0-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2021-08-28 17:20:57 CEST
David Walser
2021-08-28 17:21:08 CEST
Status comment:
(none) =>
Fixed upstream in 2.8.0 Severity is probably not Major (this may be a problem for someone using it in an unusual and unsafe way), but I'll prepare an update. Severity is based on RedHat's rating. Upstream actually rated it as even higher severity. Submitted and verified for cauldron based on the included test:
Before:
$ time ruby -raddressable/template -e 'Addressable::Template::VARNAME.match("0"*28 + "!")'
real 0m16.052s
user 0m16.041s
sys 0m0.010s
After:
$ time ruby -raddressable/template -e 'Addressable::Template::VARNAME.match("0"*28 + "!")'
real 0m0.072s
user 0m0.052s
sys 0m0.020s
Submitting 2.7.0-1.1.mga8 for Mageia 8
Sure, upstream indeed explains that even if it is obviously a bad idea to have the template coming from user input, they don't explicitly tell people to not do it, so maybe someone is doing it (but I expect they have other security problems then...). ruby-addressable-2.7.0-1.1.mga8 ruby-addressable-doc-2.7.0-1.1.mga8 from ruby-addressable-2.7.0-1.1.mga8.src.rpm Whiteboard:
MGA8TOO =>
(none) mga8, x86_64
The addressable gem was already installed.
Ran two examples from the README.md:
$ irb
irb(main):001:0> require 'addressable/uri'
=> true
irb(main):002:0> uri = Addressable::URI.parse("http://example.com/path/to/resour
ce/")
=> #<Addressable::URI:0xb4 URI:http://example.com/path/to/resource/>
irb(main):003:0> uri.scheme
=> "http"
irb(main):004:0> uri.host
=> "example.com"
uri.path
#=> "/path/to/resource/"
uri = Addressable::URI.parse("http://www.詹姆斯.com/")
uri.normalize
#=> #<Addressable::URI:0xc9a4c8 URI:http://www.xn--8ws00zhy3a.com/>
URI Templates:
$ irb
require "addressable/template"
=> true
irb(main):002:0>template = Addressable::Template.new("http://example.com/{?query*}")
irb(main):003:2* template.expand({
irb(main):004:3* "query" => {
irb(main):005:3* 'foo' => 'bar', 'color' => 'red'
irb(main):006:2* }
irb(main):007:0> })
=> #<Addressable::URI:0xc8 URI:http://example.com/?foo=bar&color=red>
irb(main):008:0> template = Addressable::Template.new("http://example.com/{?one,
two,three}")
=> #<Addressable::Template:0xdc PATTERN:http://example.com/{?one,two,three}>
irb(main):009:0> template.partial_expand({"one" => "1", "three" => 3}).pattern
=> "http://example.com/?one=1{&two}&three=3"
irb(main):010:0> template = Addressable::Template.new("http://{host}{/segments*}
/{?one,two,bogus}{#fragment}")
=> #<Addressable::Template:0xf0 PATTERN:http://{host}{/segments*}/{?one,two...
irb(main):011:0> uri = Addressable::URI.parse("http://example.com/a/b/c/?one=1&t
wo=2#foo")
=> #<Addressable::URI:0x104 URI:http://example.com/a/b/c/?one=1&two=2#foo>
irb(main):012:0> template.extract(uri)
=> {"host"=>"example.com", "segments"=>["a", "b", "c"], "one"=>"1", "two"=>"2", "bogus"=>nil, "fragment"=>"foo"}
irb(main):013:0> exit
Those all echo the responses in the documentation.
Before updating tried the timing test:
$ time ruby -raddressable/template -e 'Addressable::Template::VARNAME.match("0"*28 + "!")'
real 0m10.187s
user 0m10.172s
sys 0m0.011s
After the update:
real 0m0.080s
user 0m0.069s
sys 0m0.011s
Good result.
Ran the examples from the documentation again under irb and the results were the same, e.g.
$ irb
irb(main):001:0> require "addressable/template"
=> true
irb(main):002:0> template = Addressable::Template.new("http://example.com/{?quer
y*}")
=> #<Addressable::Template:0xb4 PATTERN:http://example.com/{?query*}>
irb(main):003:0> template.expand({ "query" => { 'foo' => 'bar', 'color' => 'red'
} })
=> #<Addressable::URI:0xc8 URI:http://example.com/?foo=bar&color=red>
irb(main):004:0> template = Addressable::Template.new("http://example.com/{?one,
two,three}")
=> #<Addressable::Template:0xdc PATTERN:http://example.com/{?one,two,three}>
irb(main):005:0> template.partial_expand({"one" => "1", "three" => 3}).pattern
=> "http://example.com/?one=1{&two}&three=3"
irb(main):006:0> template = Addressable::Template.new("http://{host}{/segments*}
/{?one,two,bogus}{#fragment}")
=> #<Addressable::Template:0xf0 PATTERN:http://{host}{/segments*}/{?one,two...
irb(main):007:0> uri = Addressable::URI.parse("http://example.com/a/b/c/?one=1&t
wo=2#foo")
=> #<Addressable::URI:0x104 URI:http://example.com/a/b/c/?one=1&two=2#foo>
irb(main):008:0> template.extract(uri)
=> {"host"=>"example.com", "segments"=>["a", "b", "c"], "one"=>"1", "two"=>"2", "bogus"=>nil, "fragment"=>"foo"}
irb(main):009:0> exit
Looks like this is alright to release.CC:
(none) =>
tarazed25 Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Thomas Backlund
2021-09-04 17:57:39 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0417.html Status:
NEW =>
RESOLVED |