Fedora has issued an advisory on August 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WYPVOOQU7UB277UUERJMCNQLRCXRCIQ5/ The issue is fixed upstream in 2.8.0: https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.8.0Whiteboard: (none) => MGA8TOO
Severity is probably not Major (this may be a problem for someone using it in an unusual and unsafe way), but I'll prepare an update.
Severity is based on RedHat's rating. Upstream actually rated it as even higher severity.
Submitted and verified for cauldron based on the included test: Before: $ time ruby -raddressable/template -e 'Addressable::Template::VARNAME.match("0"*28 + "!")' real 0m16.052s user 0m16.041s sys 0m0.010s After: $ time ruby -raddressable/template -e 'Addressable::Template::VARNAME.match("0"*28 + "!")' real 0m0.072s user 0m0.052s sys 0m0.020s Submitting 2.7.0-1.1.mga8 for Mageia 8
Sure, upstream indeed explains that even if it is obviously a bad idea to have the template coming from user input, they don't explicitly tell people to not do it, so maybe someone is doing it (but I expect they have other security problems then...).
ruby-addressable-2.7.0-1.1.mga8 ruby-addressable-doc-2.7.0-1.1.mga8 from ruby-addressable-2.7.0-1.1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Assignee: pterjan => qa-bugsStatus comment: Fixed upstream in 2.8.0 => (none)CC: (none) => pterjan
mga8, x86_64 The addressable gem was already installed. Ran two examples from the README.md: $ irb irb(main):001:0> require 'addressable/uri' => true irb(main):002:0> uri = Addressable::URI.parse("http://example.com/path/to/resour ce/") => #<Addressable::URI:0xb4 URI:http://example.com/path/to/resource/> irb(main):003:0> uri.scheme => "http" irb(main):004:0> uri.host => "example.com" uri.path #=> "/path/to/resource/" uri = Addressable::URI.parse("http://www.詹姆斯.com/") uri.normalize #=> #<Addressable::URI:0xc9a4c8 URI:http://www.xn--8ws00zhy3a.com/> URI Templates: $ irb require "addressable/template" => true irb(main):002:0>template = Addressable::Template.new("http://example.com/{?query*}") irb(main):003:2* template.expand({ irb(main):004:3* "query" => { irb(main):005:3* 'foo' => 'bar', 'color' => 'red' irb(main):006:2* } irb(main):007:0> }) => #<Addressable::URI:0xc8 URI:http://example.com/?foo=bar&color=red> irb(main):008:0> template = Addressable::Template.new("http://example.com/{?one, two,three}") => #<Addressable::Template:0xdc PATTERN:http://example.com/{?one,two,three}> irb(main):009:0> template.partial_expand({"one" => "1", "three" => 3}).pattern => "http://example.com/?one=1{&two}&three=3" irb(main):010:0> template = Addressable::Template.new("http://{host}{/segments*} /{?one,two,bogus}{#fragment}") => #<Addressable::Template:0xf0 PATTERN:http://{host}{/segments*}/{?one,two... irb(main):011:0> uri = Addressable::URI.parse("http://example.com/a/b/c/?one=1&t wo=2#foo") => #<Addressable::URI:0x104 URI:http://example.com/a/b/c/?one=1&two=2#foo> irb(main):012:0> template.extract(uri) => {"host"=>"example.com", "segments"=>["a", "b", "c"], "one"=>"1", "two"=>"2", "bogus"=>nil, "fragment"=>"foo"} irb(main):013:0> exit Those all echo the responses in the documentation. Before updating tried the timing test: $ time ruby -raddressable/template -e 'Addressable::Template::VARNAME.match("0"*28 + "!")' real 0m10.187s user 0m10.172s sys 0m0.011s After the update: real 0m0.080s user 0m0.069s sys 0m0.011s Good result. Ran the examples from the documentation again under irb and the results were the same, e.g. $ irb irb(main):001:0> require "addressable/template" => true irb(main):002:0> template = Addressable::Template.new("http://example.com/{?quer y*}") => #<Addressable::Template:0xb4 PATTERN:http://example.com/{?query*}> irb(main):003:0> template.expand({ "query" => { 'foo' => 'bar', 'color' => 'red' } }) => #<Addressable::URI:0xc8 URI:http://example.com/?foo=bar&color=red> irb(main):004:0> template = Addressable::Template.new("http://example.com/{?one, two,three}") => #<Addressable::Template:0xdc PATTERN:http://example.com/{?one,two,three}> irb(main):005:0> template.partial_expand({"one" => "1", "three" => 3}).pattern => "http://example.com/?one=1{&two}&three=3" irb(main):006:0> template = Addressable::Template.new("http://{host}{/segments*} /{?one,two,bogus}{#fragment}") => #<Addressable::Template:0xf0 PATTERN:http://{host}{/segments*}/{?one,two... irb(main):007:0> uri = Addressable::URI.parse("http://example.com/a/b/c/?one=1&t wo=2#foo") => #<Addressable::URI:0x104 URI:http://example.com/a/b/c/?one=1&two=2#foo> irb(main):008:0> template.extract(uri) => {"host"=>"example.com", "segments"=>["a", "b", "c"], "one"=>"1", "two"=>"2", "bogus"=>nil, "fragment"=>"foo"} irb(main):009:0> exit Looks like this is alright to release.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0417.html
Status: NEW => RESOLVEDResolution: (none) => FIXED