SUSE has issued an advisory today (June 11): https://lists.suse.com/pipermail/sle-security-updates/2022-June/011265.html The issue is fixed upstream in 2.2.0.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 2.2.0
I have backported the fix ruby-sinatra-2.0.8.1-1.1.mga8 and it seems obvious enough but I didn't have time to find out how to use sinatra to reproduce the problem.
ruby-sinatra-2.0.8.1-1.1.mga8 from ruby-sinatra-2.0.8.1-1.1.mga8.src.rpm
CC: (none) => pterjanAssignee: pterjan => qa-bugsStatus comment: Fixed upstream in 2.2.0 => (none)Whiteboard: MGA8TOO => (none)
mga8, x64 Installed ruby-sinatra and tried out the simplest examples at https://www.devdungeon.com/content/ruby-sinatra-tutorial#toc-1. These all involved short scripts which launched a WEBrick::HTTP server in a terminal which managed the default localhost:4567 port. Texts appeared in the browser on a Return or could be read in another terminal using: $ curl http://localhost:4567/ The json facility was also used at one point. The data could be supplied by the server script or a local file. Created a 'public' directory relative to the current directory but nothing appeared in that. This was a typical script: require 'sinatra' get '/' do send_file 'test.txt', :disposition => 'attachment', :filename => 'receive.txt' end That is as far as it could be taken with no experience of web programming, HTML templates and such, and no possibility of checking the specific issue addressed by this bug. Updated the package and ran the same primitive tests. All worked as expected. Assigning OK on the basis of this.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
The vulnerability is for static files, I verified static files still work with: mkdir public; echo bar > public/foo.html ruby -rsinatra -e "get '/' do 'Hello world'; end"& GET 127.0.0.1:4567/foo.html But I didn't understand how to trigger the vulnerability as I get a 400 Bad Request when I try some fancy paths (like '../../etc/hosts') even before the update.
I looked more into it and the error I get is from webrick's normalize_path. It does not seem possible to reproduce the vulnerability using webrick, so it would need something more complicated using a 'sinatra/base' app as a CGI. I tried the following: require 'sinatra/base' class MyApp < Sinatra::Base get '/' do 'Hello, World!' end end Rack::Handler::CGI.run MyApp.new REQUEST_METHOD=GET PATH_INFO=/../../etc/hosts ruby t2.rb But I am getting a 404. "REQUEST_METHOD=GET PATH_INFO=/foo.html ruby t2.rb" works. Debugging more, the extra ../ get dropped before reaching sinatra, even if I couldn't find the code doing so in Rack. So I still have no idea which setup would make that vulnerability possible and can't trigger it.
A valiant attempt, Pascal. Validating on the basis of Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0280.html
Status: NEW => RESOLVEDResolution: (none) => FIXED