Bug 30542 - ruby-sinatra new security issue CVE-2022-29970
Summary: ruby-sinatra new security issue CVE-2022-29970
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-06-12 00:36 CEST by David Walser
Modified: 2022-08-13 04:33 CEST (History)
5 users (show)

See Also:
Source RPM: ruby-sinatra-
Status comment:


Description David Walser 2022-06-12 00:36:55 CEST
SUSE has issued an advisory today (June 11):

The issue is fixed upstream in 2.2.0.
David Walser 2022-06-12 00:37:13 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.2.0

Comment 1 Pascal Terjan 2022-08-10 21:34:58 CEST
I have backported the fix ruby-sinatra- and it seems obvious enough but I didn't have time to find out how to use sinatra to reproduce the problem.
Comment 2 David Walser 2022-08-11 01:32:46 CEST

from ruby-sinatra-

CC: (none) => pterjan
Assignee: pterjan => qa-bugs
Status comment: Fixed upstream in 2.2.0 => (none)
Whiteboard: MGA8TOO => (none)

Comment 3 Len Lawrence 2022-08-11 15:50:24 CEST
mga8, x64

Installed ruby-sinatra and tried out the simplest examples at https://www.devdungeon.com/content/ruby-sinatra-tutorial#toc-1.  These all involved short scripts which launched a WEBrick::HTTP server in a terminal which managed the default localhost:4567 port.  Texts appeared in the browser on a Return or could be read in another terminal using:
$ curl http://localhost:4567/
The json facility was also used at one point.
The data could be supplied by the server script or a local file.  Created a 'public' directory relative to the current directory but nothing appeared in that.

This was a typical script:
require 'sinatra'

get '/' do
  send_file 'test.txt', :disposition => 'attachment', :filename => 'receive.txt'

That is as far as it could be taken with no experience of web programming, HTML templates and such, and no possibility of checking the specific issue addressed by this bug.

Updated the package and ran the same primitive tests.  All worked as expected.
Assigning OK on the basis of this.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Pascal Terjan 2022-08-11 16:37:29 CEST
The vulnerability is for static files, I verified static files still work with:

mkdir public; echo bar > public/foo.html
ruby -rsinatra -e "get '/' do 'Hello world'; end"&

But I didn't understand how to trigger the vulnerability as I get a 400 Bad Request when I try some fancy paths (like '../../etc/hosts') even before the update.
Comment 5 Pascal Terjan 2022-08-11 22:53:00 CEST
I looked more into it and the error I get is from webrick's normalize_path. It does not seem possible to reproduce the vulnerability using webrick, so it would need something more complicated using a 'sinatra/base' app as a CGI. 

I tried the following:

require 'sinatra/base'

class MyApp < Sinatra::Base
    get '/' do
        'Hello, World!'

Rack::Handler::CGI.run MyApp.new

REQUEST_METHOD=GET PATH_INFO=/../../etc/hosts ruby t2.rb

But I am getting a 404.

"REQUEST_METHOD=GET PATH_INFO=/foo.html ruby t2.rb" works.

Debugging more, the extra ../ get dropped before reaching sinatra, even if I couldn't find the code doing so in Rack.

So I still have no idea which setup would make that vulnerability possible and can't trigger it.
Comment 6 Thomas Andrews 2022-08-12 02:34:19 CEST
A valiant attempt, Pascal.

Validating on the basis of Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-08-12 22:00:27 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-08-13 04:33:36 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.