Bug 31739

Summary: ruby-rack new security issue CVE-2023-27539
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: marja11, nicolas.salguero, pterjan, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lists.suse.com/pipermail/sle-security-updates/2023-March/014232.html https://www.debian.org/lts/security/2023/dla-3392
Whiteboard: MGA9-64-OK
Source RPM: ruby-rack-2.2.4-3.mga9.src.rpm CVE: CVE-2023-27539
Status comment: Fixed upstream in 2.2.6.4
Attachments: Simple test for ruby-rack

Description David Walser 2023-03-30 23:03:51 CEST 
SUSE has issued an advisory on March 29:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014232.html

The issue is fixed upstream in 2.2.6.4.

Mageia 8 is also affected.
David Walser 2023-03-30 23:04:21 CEST

Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 2.2.6.4

Comment 1 David Walser 2023-04-18 13:32:57 CEST 
Debian-LTS has issued an advisory for this on April 17:
https://www.debian.org/lts/security/2023/dla-3392
Comment 2 Pascal Terjan 2024-02-10 20:57:22 CET 
Submitted ruby-rack-2.2.8-1.mga9.src.rpm to core/updates_testing
Comment 3 katnatek 2024-02-11 03:55:23 CET 
(In reply to Pascal Terjan from comment #2)
> Submitted ruby-rack-2.2.8-1.mga9.src.rpm to core/updates_testing

The packages 

ruby-rack-2.2.8-1.mga9.noarch.rpm
ruby-rack-doc-2.2.8-1.mga9.noarch.rpm

Arrive to updates_testing, I must assign to QA?

Whiteboard: MGA8TOO => (none)

katnatek 2024-02-15 03:47:14 CET

Keywords: (none) => feedback

katnatek 2024-02-16 04:15:57 CET

Assignee: pterjan => qa-bugs
CC: (none) => pterjan

Marja Van Waes 2024-02-17 17:30:18 CET

URL: (none) => https://lists.suse.com/pipermail/sle-security-updates/2023-March/014232.html https://www.debian.org/lts/security/2023/dla-3392
Keywords: feedback => (none)
CVE: (none) => CVE-2023-27539
CC: (none) => marja11

Marja Van Waes 2024-02-17 17:33:44 CET

Keywords: (none) => advisory

Comment 4 Len Lawrence 2024-02-18 01:10:58 CET 
Note that the CVE is currently reserved so we can get no useful information from Mitre.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2024-02-18 01:38:40 CET 
Created attachment 14394 [details]
Simple test for ruby-rack

From Pascal probably.  Instructions in the script.
Comment 6 Len Lawrence 2024-02-18 02:47:30 CET 
Mageia9, x86_64
This from Debian at https://lists.debian.org/debian-lts-announce/2023/04/msg00018.html

CVE-2023-27539
    Description: Split headers on commas, then strip the strings in
    order to avoid ReDoS issues.

Could be the basis of a PoC - if there are any hackers in the house.

Had to remove two conflicting gems before things would work.
Updated the two packages and ran the helloworld script:
$ ruby logging.rb
2024-02-18 00:44:40 +0000 Thin web server (v1.8.2 codename Ruby Razor)
2024-02-18 00:44:40 +0000 Maximum connections set to 1024
2024-02-18 00:44:40 +0000 Listening on localhost:8080, CTRL+C to stop

localhost:8080/ in Firefox, slight delay then
Hello World
App took 3 seconds.

Tried to run a script from the latest Pickaxe book with rackup.  It insisted on installing a later version of the rack gem, 3.0... so that had to be abandoned and the new gem uninstalled.

Is logging.rb a sufficient test for ruby-rack?
katnatek 2024-02-18 02:53:41 CET

Version: Cauldron => 9

Comment 7 Len Lawrence 2024-02-18 10:53:36 CET 
Ran the rackapp test from bug 31496.
$ cat rackapp.rb
require 'rack'

app = ->(env){
    ['200', {'Content-Type' => 'text/html'}, ['A barebones rack app.']]
}

Rack::Handler::WEBrick.run app

$ ruby rackapp.rb
[2024-02-18 09:36:33] INFO  WEBrick 1.8.1
[2024-02-18 09:36:33] INFO  ruby 3.1.4 (2023-03-30) [x86_64-linux]
[2024-02-18 09:36:33] INFO  WEBrick::HTTPServer#start: pid=229817 port=8080
127.0.0.1 - - [18/Feb/2024:09:37:13 GMT] "GET / HTTP/1.1" 200 21
- -> /
127.0.0.1 - - [18/Feb/2024:09:37:13 GMT] "GET /favicon.ico HTTP/1.1" 200 21
http://localhost:8080/ -> /favicon.ico

The message "A barebones rack app" appeared at localhost:8080/ in Firefox.

There was an earlier PoC test from bug 26952:
$ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))'
{"%66oo"=>"baz", "foo"=>"bar"}
Len Lawrence 2024-02-18 15:24:27 CET

Whiteboard: (none) => MGA9-64-OK

katnatek 2024-02-18 18:26:33 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2024-02-19 18:36:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0042.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED