23813 – ruby-rack new security issues CVE-2018-16471

Bug 23813 - ruby-rack new security issues CVE-2018-16471

Summary: ruby-rack new security issues CVE-2018-16471

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-11-07 11:08 CET by David Walser
Modified:	2019-08-12 02:01 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	ruby-rack-1.6.4-3.mga6.src.rpm
CVE:
Status comment:

Attachments
HelloWorld application for ruby-rack (601 bytes, application/x-ruby) 2018-11-12 21:40 CET, Len Lawrence	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-11-07 11:08:00 CET

An advisory has been issued on November 5:
https://www.openwall.com/lists/oss-security/2018/11/05/1

The issue is fixed upstream in 2.0.6.

Comment 1 David Walser 2018-11-07 11:09:28 CET

An advisory has been issued on November 5:
https://www.openwall.com/lists/oss-security/2018/11/05/2

The issue is fixed upstream in 2.0.6 and 1.6.11.

Mageia 6 is also affected (by only this issue).

Whiteboard: (none) => MGA6TOO
Summary: ruby-rack new security issue CVE-2018-16470 => ruby-rack new security issues CVE-2018-1647[01]

Comment 2 Pascal Terjan 2018-11-07 23:49:58 CET

Cauldron was updated yesterday

Comment 3 David Walser 2018-11-07 23:57:57 CET

Indeed it was.

Source RPM: ruby-rack-2.0.5-2.mga7.src.rpm => ruby-rack-1.6.4-3.mga6.src.rpm
Summary: ruby-rack new security issues CVE-2018-1647[01] => ruby-rack new security issues CVE-2018-16471
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 4 Pascal Terjan 2018-11-11 18:41:09 CET

I have uploaded 1.6.11 to 6/core/updates_testing as compared to 1.6.4 we had it has several bugfix releases.

Comment 5 Pascal Terjan 2018-11-11 18:44:07 CET

Also, I only did minimal testing:

$ cat c.ru 
run Proc.new { |env| ['200', {'Content-Type' => 'text/plain'}, ["Foo\n"]] }

$ rackup c.ru &
[1] 20283
[2018-11-11 17:40:18] INFO  WEBrick 1.4.2
[2018-11-11 17:40:18] INFO  ruby 2.5.3 (2018-10-18) [x86_64-linux]
[2018-11-11 17:40:18] INFO  WEBrick::HTTPServer#start: pid=20283 port=9292

$ GET http://127.0.0.1:9292/
127.0.0.1 - - [11/Nov/2018:17:40:33 +0000] "GET / HTTP/1.1" 200 - 0.0004
Foo
$ fg
rackup c.ru
^C[2018-11-11 17:40:37] INFO  going to shutdown ...
[2018-11-11 17:40:37] INFO  WEBrick::HTTPServer#start done.

Comment 6 David Walser 2018-11-11 19:34:02 CET

Advisory:
========================

Updated ruby-rack packages fix security vulnerability:

There is a possible XSS vulnerability in Rack.  Carefully crafted requests can
impact the data returned by the `scheme` method on `Rack::Request`.
Applications that expect the scheme to be limited to "http" or "https" and do
not escape the return value could be vulnerable to an XSS attack
(CVE-2018-16471).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16471
https://www.openwall.com/lists/oss-security/2018/11/05/2
========================

Updated packages in core/updates_testing:
========================
ruby-rack-1.6.11-1.mga6
ruby-rack-doc-1.6.11-1.mga6

from ruby-rack-1.6.11-1.mga6.src.rpm

CC: (none) => pterjan
Assignee: pterjan => qa-bugs

Comment 7 Len Lawrence 2018-11-12 21:37:38 CET

Mageia 6, x86_64

No exploit posted.
Ran Pascal's tests, which echo the examples at https://rack.github.io/
More information at https://thoughtbot.com/upcase/videos/rack.
Install ruby-rdoc (if it is not there already).
Copied the middleware logging example and ran it after installing the 'thin' gem.
Don't how how or if it is bundled with Mageia ruby so went for the gem.
$ sudo gem install thin

Updated ruby rack from testing.

$ cat rackapp.rb 
require 'rack'
 
app = Proc.new do |env|
    ['200', {'Content-Type' => 'text/html'}, ['A barebones rack app.']]
end
 
Rack::Handler::WEBrick.run app

Ran the script:
$ rackup rackapp.rb
[2018-11-12 20:17:48] INFO  WEBrick 1.3.1
[2018-11-12 20:17:48] INFO  ruby 2.2.10 (2018-03-28) [x86_64-linux]
[2018-11-12 20:17:48] INFO  WEBrick::HTTPServer#start: pid=22925 port=8080
localhost - - [12/Nov/2018:20:18:15 GMT] "GET / HTTP/1.1" 200 21

Pointed the browser at localhost:8080/ and saw
"A barebones rack app." on a clean page.

Also tried the other example:
$ cat config.ru
run Proc.new { |env| ['200', {'Content-Type' => 'text/html'}, ["get rack\'d\n"]] }
$ rackup config.ru
Thin web server (v1.7.2 codename Bachmanity)
Maximum connections set to 1024
Listening on localhost:9292, CTRL+C to stop

In another terminal:
$ GET http://127.0.0.1:9292/
get rack'd

Ran the attached script.
$ ruby logging.rb
Thin web server (v1.7.2 codename Bachmanity)
Maximum connections set to 1024
Listening on localhost:8080, CTRL+C to stop

Typed localhost:8080/ in the browser address bar and saw the message:
Hello World
App took 3 seconds.

Hey, it can do HelloWorld!  Must be OK.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 8 Len Lawrence 2018-11-12 21:40:08 CET

Created attachment 10469 [details]
HelloWorld application for ruby-rack

Open a browser at localhost:8080/ after running it.

Comment 9 Lewis Smith 2018-11-14 19:56:55 CET

Advisory from comment 6. Validating also.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 10 Mageia Robot 2018-11-15 23:05:40 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0449.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 11 David Walser 2019-08-12 02:01:50 CEST

Ubuntu advisory from August 7, for reference:
https://usn.ubuntu.com/4089-1/

Note You need to log in before you can comment on or make changes to this bug.