Debian-LTS has issued an advisory on July 11: https://www.debian.org/lts/security/2020/dla-2275 The issue is fixed upstream in 2.2.3. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 2.2.3Whiteboard: (none) => MGA7TOO
2.2.3 uploaded to cauldron and 2.0.8-2 uploaded to 7 updates_testing Here is the test to verify the fix: Vulnerable: $ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))' {"foo"=>"baz"} Fixed: $ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))' {"%66oo"=>"baz", "foo"=>"bar"}
Advisory: ======================== Updated ruby-rack packages fix security vulnerability: A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3 that makes it is possible for an attacker to forge a secure or host-only cookie prefix (CVE-2020-8184). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8184 https://www.debian.org/lts/security/2020/dla-2275 ======================== Updated packages in core/updates_testing: ======================== ruby-rack-2.0.8-2.mga7 ruby-rack-doc-2.0.8-2.mga7 from ruby-rack-2.0.8-2.mga7.src.rpm
Assignee: pterjan => qa-bugsWhiteboard: MGA7TOO => (none)Version: Cauldron => 7Status comment: Fixed upstream in 2.2.3 => (none)CC: (none) => pterjan
mga7, x86_64 CVE-2020-8184 The suggested PoC at HackerOne is concerned with manipulating cookies for devious ends but as I have no experience of web development or anything like RubyOnRails shall give this a miss and use Pascal's one-liner only. $ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))' {"foo"=>"baz"} After update: $ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))' {"%66oo"=>"baz", "foo"=>"bar"} Testing this in the most basic way - hello world again. See https://rack.github.io/ $ cat lambda.rb require "rack" require "thin" app = ->( env ) { [ 200, {"Content-Type" => "text/plain"}, ["Hello World"] ] } Rack::Handler::Thin.run app $ ruby lambda.rb Thin web server (v1.7.2 codename Bachmanity) Maximum connections set to 1024 Listening on localhost:8080, CTRL+C to stop <The browser shows "Hello World" at localhost:8080.> ^CStopping ... To put it another way: $ cat rackapp.rb require 'rack' app = ->( env ){ ['200', {'Content-Type' => 'text/html'}, ['A barebones rack app.']] } Rack::Handler::WEBrick.run app $ ruby rackapp.rb [2020-07-15 18:07:07] INFO WEBrick 1.4.2 [2020-07-15 18:07:07] INFO ruby 2.5.8 (2020-03-31) [x86_64-linux] [2020-07-15 18:07:07] INFO WEBrick::HTTPServer#start: pid=30456 port=8080 127.0.0.1 - - [15/Jul/2020:18:07:23 BST] "GET / HTTP/1.1" 200 21 - -> / <"A barebones rack app" duly appears at localhost:8080> This one is OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0306.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED