Bug 31416

Summary: ruby-sinatra new security issue CVE-2022-45442
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, pterjan, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ruby-sinatra-3.0.1-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-01-17 18:35:58 CET 
Debian-LTS has issued an advisory on January 10:
https://www.debian.org/lts/security/2023/dla-3264

The issue is fixed upstream in 2.2.3 and 3.0.4:
https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw

Mageia 8 is also affected.
David Walser 2023-01-17 18:36:15 CET

Status comment: (none) => Fixed upstream in 2.2.3 and 3.0.4
Whiteboard: (none) => MGA8TOO

Comment 1 Pascal Terjan 2023-01-18 22:01:34 CET 
Fixed in cauldron by updating to 3.0.4 and in 8 by backporting https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
Comment 2 David Walser 2023-01-19 01:33:35 CET 
ruby-sinatra-2.0.8.1-1.2.mga8

from ruby-sinatra-2.0.8.1-1.2.mga8.src.rpm

CC: (none) => pterjan
Assignee: pterjan => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 2.2.3 and 3.0.4 => (none)

Comment 3 Herman Viaene 2023-01-19 11:25:59 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
I'm not at all familiar with ruby e.a. but found bug 30542 Comment 4 that I more or less could grasp.
$ cd Documents/
$ mkdir public
$ echo bar > public/foo.html
$ ruby -rsinatra -e "get '/' do 'Hello world'; end"&
[1] 12356
$ [2023-01-19 11:14:03] INFO  WEBrick 1.6.1
[2023-01-19 11:14:03] INFO  ruby 2.7.7 (2022-11-24) [x86_64-linux]
== Sinatra (v2.0.8.1) has taken the stage on 4567 for development with backup from WEBrick
[2023-01-19 11:14:03] INFO  WEBrick::HTTPServer#start: pid=12356 port=4567
This was all feedback on the ruby command and then this terminal session was waiting
On another tab in the terminal I did then
$ GET 127.0.0.1:4567/foo.html
bar
and got on the first tab the feedback
127.0.0.1 - - [19/Jan/2023:11:15:07 +0100] "GET /foo.html HTTP/1.1" 200 4 0.0396
127.0.0.1 - - [19/Jan/2023:11:15:07 CET] "GET /foo.html HTTP/1.1" 200 4
- -> /foo.html

I expected to see the 'Hello world' somewhere in the feedback, but on the other hand the content of the foo.html appears at the place I expected.
Really not sure what this all means ....

CC: (none) => herman.viaene

Comment 4 Len Lawrence 2023-01-29 18:41:12 CET 
@Herman, re comment 3:
The 'Hello world' message does turn up, in a browser at localhost:4567/
No idea how you would progress any further.  Reckon you should pass it.

CC: (none) => tarazed25

Comment 5 Thomas Andrews 2023-02-03 15:31:44 CET 
Since no one else is forthcoming, I'm going to give this an OK based on Comments 3 and 4. If that is a problem, please let us know.

Validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-06 22:09:28 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-02-07 01:08:31 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0029.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED