Fedora has issued an advisory on March 21: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130990.html Mageia 3 and Mageia 4 are also affected. The issue is fixed upstream in 1.4.0. The RedHat bug has a link to the upstream commit to fix it: https://bugzilla.redhat.com/show_bug.cgi?id=1078612 Fedora added patches to fix it here: http://pkgs.fedoraproject.org/cgit/rubygem-rack-ssl.git/commit/?h=f20&id=8135a0b5a950d1677a70ec095dd9f1cf0bbf1b3c Reproducible: Steps to Reproduce:
CC: (none) => fundawangWhiteboard: (none) => MGA4TOO, MGA3TOO
1.4.0 submitted to cauldron, will prepare updates.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Crafted some patch based on upstream commits and submitted them to updates_testing ruby-rack-ssl-1.3.2-3.1.mga3.src.rpm ruby-rack-ssl-1.3.2-3.1.mga3.noarch.rpm ruby-rack-ssl-doc-1.3.2-3.1.mga3.noarch.rpm ruby-rack-ssl-1.3.3-3.1.mga4.src.rpm ruby-rack-ssl-1.3.3-3.1.mga4.noarch.rpm ruby-rack-ssl-doc-1.3.3-3.1.mga4.noarch.rpm No idea how to use/test it :(
Thanks Pascal! All I know is it's required by redmine and mageia-maintainers-database. As for the issue itself, the upstream commits added a test for it as well, but Pascal didn't include that in the patch, and our package doesn't run make check. The code for the test is: def test_invalid_uri_returns_400 ssl = Rack::SSL.new(nil) resp = ssl.call('PATH_INFO' => "https://example.org/path/<script>") assert_equal 400, resp[0] end So I guess if you could get a ruby script to run that code, if it didn't throw an assertion error it should be good. Advisory: ======================== Updated ruby-rack-ssl packages fix security vulnerabilities: Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack (CVE-2014-2538). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2538 https://lists.fedoraproject.org/pipermail/package-announce/2014-April/130990.html
CC: (none) => pterjanAssignee: pterjan => qa-bugs
Yes tests are not distributed... It seems Fedora creates a rack-ssl-1.3.2-tests.tgz from git and includes it in the package. resp = ssl.call('PATH_INFO' => "https://example.org/path/<script>") Doesn't seem to work at all, I'll try to come with some code.
Old version: $ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})"/usr/share/ruby/uri/common.rb:176:in `split': bad URI(is not URI?): http://a:0/path/<script> (URI::InvalidURIError) from /usr/share/ruby/uri/common.rb:211:in `parse' from /usr/share/ruby/uri/common.rb:747:in `parse' from /usr/share/ruby/uri/common.rb:996:in `URI' from /usr/share/ruby/gems/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https' from /usr/share/ruby/gems/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call' from -e:1:in `<main>' With the update: $ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})" [400, {"Content-Type"=>"text/plain"}, []] 1.4.1 in Cauldron however doesn't seem right, I'll look into it but this is not a problem for the update: $ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})" [307, {"Content-Type"=>"text/html", "Location"=>"https://a/path/<script>"}, []]
Testing mga3 32 It gives the same output before and after the update. Before ------ $ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})" /usr/share/ruby/uri/common.rb:176:in `split': bad URI(is not URI?): http://a:0/path/<script> (URI::InvalidURIError) from /usr/share/ruby/uri/common.rb:211:in `parse' from /usr/share/ruby/uri/common.rb:747:in `parse' from /usr/share/ruby/uri/common.rb:994:in `URI' from /home/claire/.gem/ruby/1.9.1/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https' from /home/claire/.gem/ruby/1.9.1/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call' from -e:1:in `<main>' After ----- $ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})" /usr/share/ruby/uri/common.rb:176:in `split': bad URI(is not URI?): http://a:0/path/<script> (URI::InvalidURIError) from /usr/share/ruby/uri/common.rb:211:in `parse' from /usr/share/ruby/uri/common.rb:747:in `parse' from /usr/share/ruby/uri/common.rb:994:in `URI' from /home/claire/.gem/ruby/1.9.1/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https' from /home/claire/.gem/ruby/1.9.1/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call' from -e:1:in `<main>'
Hmm, I only tested installing the update for 4 on a cauldron and it was fine :( I'll try tonight to install a 3 chroot or vm but my internet is quite slow so not sure I will be able to do it today.
Testing complete mga4 64 Seems OK, at least matches your output in comment 5. Before ------ $ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})" /usr/share/ruby/uri/common.rb:176:in `split': bad URI(is not URI?): http://a:0/path/<script> (URI::InvalidURIError) from /usr/share/ruby/uri/common.rb:211:in `parse' from /usr/share/ruby/uri/common.rb:747:in `parse' from /usr/share/ruby/uri/common.rb:994:in `URI' from /usr/share/ruby/gems/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https' from /usr/share/ruby/gems/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call' from -e:1:in `<main>' After ----- $ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})" [400, {"Content-Type"=>"text/plain"}, []]
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga4 32 So just mga3 showing issues.
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Testing complete mga3 64 & mga3 32 Found the problem on mga3 32. It was looking in ~/.gem rather than /usr/share/ruby so I deleted ~/.gem and it worked ok. Maybe some leftover ruby stuff from previous testing. Before ------ $ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})" /usr/share/ruby/uri/common.rb:176:in `split': bad URI(is not URI?): http://a:0/path/<script> (URI::InvalidURIError) from /usr/share/ruby/uri/common.rb:211:in `parse' from /usr/share/ruby/uri/common.rb:747:in `parse' from /usr/share/ruby/uri/common.rb:994:in `URI' from /usr/share/ruby/gems/gems/rack-ssl-1.3.2/lib/rack/ssl.rb:50:in `redirect_to_https' from /usr/share/ruby/gems/gems/rack-ssl-1.3.2/lib/rack/ssl.rb:32:in `call' from -e:1:in `<main>' After ----- $ ruby -ruri -rrack/ssl -e "p Rack::SSL.new(nil).call({'HTTP_HOST' => 'a', 'HTTP_X_FORWARDED_PROTO' => 'http', 'PATH_INFO' => '/path/<script>'})" [400, {"Content-Type"=>"text/plain"}, []]
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Thanks for the procedure Pascal. Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0156.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED