Bug 26952 - ruby-rack new security issue CVE-2020-8184
Summary: ruby-rack new security issue CVE-2020-8184
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-07-14 22:24 CEST by David Walser
Modified: 2020-08-01 01:28 CEST (History)
5 users (show)

See Also:
Source RPM: ruby-rack-2.2.2-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-07-14 22:24:27 CEST
Debian-LTS has issued an advisory on July 11:
https://www.debian.org/lts/security/2020/dla-2275

The issue is fixed upstream in 2.2.3.

Mageia 7 is also affected.
David Walser 2020-07-14 22:24:45 CEST

Status comment: (none) => Fixed upstream in 2.2.3
Whiteboard: (none) => MGA7TOO

Comment 1 Pascal Terjan 2020-07-14 22:58:07 CEST
2.2.3 uploaded to cauldron and 2.0.8-2 uploaded to 7 updates_testing

Here is the test to verify the fix:

Vulnerable:

$ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))' 
{"foo"=>"baz"}

Fixed:

$ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))' 
{"%66oo"=>"baz", "foo"=>"bar"}
Comment 2 David Walser 2020-07-14 23:33:39 CEST
Advisory:
========================

Updated ruby-rack packages fix security vulnerability:

A reliance on cookies without validation/integrity check security vulnerability
exists in rack < 2.2.3 that makes it is possible for an attacker to forge a
secure or host-only cookie prefix (CVE-2020-8184).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8184
https://www.debian.org/lts/security/2020/dla-2275
========================

Updated packages in core/updates_testing:
========================
ruby-rack-2.0.8-2.mga7
ruby-rack-doc-2.0.8-2.mga7

from ruby-rack-2.0.8-2.mga7.src.rpm

Assignee: pterjan => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Status comment: Fixed upstream in 2.2.3 => (none)
CC: (none) => pterjan

Comment 3 Len Lawrence 2020-07-15 19:22:36 CEST
mga7, x86_64

CVE-2020-8184
The suggested PoC at HackerOne is concerned with manipulating cookies for devious ends but as I have no experience of web development or anything like RubyOnRails shall give this a miss and use Pascal's one-liner only.
$ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))' 
{"foo"=>"baz"}

After update:
$ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))' 
{"%66oo"=>"baz", "foo"=>"bar"}

Testing this in the most basic way - hello world again.
See https://rack.github.io/

$ cat lambda.rb
require "rack"
require "thin"

app = ->( env ) { [ 200, {"Content-Type" => "text/plain"}, ["Hello World"] ] }

Rack::Handler::Thin.run app

$ ruby lambda.rb
Thin web server (v1.7.2 codename Bachmanity)
Maximum connections set to 1024
Listening on localhost:8080, CTRL+C to stop

<The browser shows "Hello World" at localhost:8080.>
^CStopping ...

To put it another way:
$ cat rackapp.rb
require 'rack'

app = ->( env ){
    ['200', {'Content-Type' => 'text/html'}, ['A barebones rack app.']]
}

Rack::Handler::WEBrick.run app

$ ruby rackapp.rb
[2020-07-15 18:07:07] INFO  WEBrick 1.4.2
[2020-07-15 18:07:07] INFO  ruby 2.5.8 (2020-03-31) [x86_64-linux]
[2020-07-15 18:07:07] INFO  WEBrick::HTTPServer#start: pid=30456 port=8080
127.0.0.1 - - [15/Jul/2020:18:07:23 BST] "GET / HTTP/1.1" 200 21
- -> /

<"A barebones rack app" duly appears at localhost:8080>

This one is OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-07-15 22:50:56 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2020-07-31 10:47:40 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-08-01 01:28:03 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0306.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.