31416 – ruby-sinatra new security issue CVE-2022-45442

Bug 31416 - ruby-sinatra new security issue CVE-2022-45442

Summary: ruby-sinatra new security issue CVE-2022-45442

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-01-17 18:35 CET by David Walser
Modified:	2023-02-07 01:08 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	ruby-sinatra-3.0.1-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-01-17 18:35:58 CET

Debian-LTS has issued an advisory on January 10:
https://www.debian.org/lts/security/2023/dla-3264

The issue is fixed upstream in 2.2.3 and 3.0.4:
https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw

Mageia 8 is also affected.

David Walser 2023-01-17 18:36:15 CET

Status comment: (none) => Fixed upstream in 2.2.3 and 3.0.4
Whiteboard: (none) => MGA8TOO

Comment 1 Pascal Terjan 2023-01-18 22:01:34 CET

Fixed in cauldron by updating to 3.0.4 and in 8 by backporting https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a

Comment 2 David Walser 2023-01-19 01:33:35 CET

ruby-sinatra-2.0.8.1-1.2.mga8

from ruby-sinatra-2.0.8.1-1.2.mga8.src.rpm

CC: (none) => pterjan
Assignee: pterjan => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 2.2.3 and 3.0.4 => (none)

Comment 3 Herman Viaene 2023-01-19 11:25:59 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
I'm not at all familiar with ruby e.a. but found bug 30542 Comment 4 that I more or less could grasp.
$ cd Documents/
$ mkdir public
$ echo bar > public/foo.html
$ ruby -rsinatra -e "get '/' do 'Hello world'; end"&
[1] 12356
$ [2023-01-19 11:14:03] INFO  WEBrick 1.6.1
[2023-01-19 11:14:03] INFO  ruby 2.7.7 (2022-11-24) [x86_64-linux]
== Sinatra (v2.0.8.1) has taken the stage on 4567 for development with backup from WEBrick
[2023-01-19 11:14:03] INFO  WEBrick::HTTPServer#start: pid=12356 port=4567
This was all feedback on the ruby command and then this terminal session was waiting
On another tab in the terminal I did then
$ GET 127.0.0.1:4567/foo.html
bar
and got on the first tab the feedback
127.0.0.1 - - [19/Jan/2023:11:15:07 +0100] "GET /foo.html HTTP/1.1" 200 4 0.0396
127.0.0.1 - - [19/Jan/2023:11:15:07 CET] "GET /foo.html HTTP/1.1" 200 4
- -> /foo.html

I expected to see the 'Hello world' somewhere in the feedback, but on the other hand the content of the foo.html appears at the place I expected.
Really not sure what this all means ....

CC: (none) => herman.viaene

Comment 4 Len Lawrence 2023-01-29 18:41:12 CET

@Herman, re comment 3:
The 'Hello world' message does turn up, in a browser at localhost:4567/
No idea how you would progress any further.  Reckon you should pass it.

CC: (none) => tarazed25

Comment 5 Thomas Andrews 2023-02-03 15:31:44 CET

Since no one else is forthcoming, I'm going to give this an OK based on Comments 3 and 4. If that is a problem, please let us know.

Validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-06 22:09:28 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-02-07 01:08:31 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0029.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.