Bug 31496 - ruby-rack new security issues CVE-2022-4457[0-2] and CVE-2023-27530
Summary: ruby-rack new security issues CVE-2022-4457[0-2] and CVE-2023-27530
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2023-02-01 17:52 CET by David Walser
Modified: 2023-03-19 23:16 CET (History)
6 users (show)

See Also:
Source RPM: ruby-rack-2.2.3.1-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-02-01 17:52:37 CET 
Debian-LTS has issued an advisory on January 31:
https://www.debian.org/lts/security/2023/dla-3298

The issues are fixed upstream in 2.2.6.2.

Mageia 8 is also affected.
David Walser 2023-02-01 17:52:49 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.2.6.2

Comment 1 Marja Van Waes 2023-02-04 22:25:30 CET 
Assigning to all packagers collectively, because there is no registered maintainer for this package.


CC'ing pterjan, who was the last one to push it.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, pterjan

Comment 2 David Walser 2023-02-07 17:11:33 CET 
SUSE has issued an advisory for this on February 6:
https://lists.suse.com/pipermail/sle-security-updates/2023-February/013629.html

openSUSE equivalent advisory from today (February 7):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFU3ZHNAUDV7V7P7HFAAT4TJIHOMW5K/
Comment 3 David Walser 2023-03-02 23:31:08 CET 
Ubuntu has issued an advisory for this today (March 2):
https://ubuntu.com/security/notices/USN-5910-1
Comment 4 Nicolas Salguero 2023-03-13 13:16:14 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted. (CVE-2022-44570)

There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted. (CVE-2022-44571)

A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. (CVE-2022-44572)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
https://www.debian.org/lts/security/2023/dla-3298
https://lists.suse.com/pipermail/sle-security-updates/2023-February/013629.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFU3ZHNAUDV7V7P7HFAAT4TJIHOMW5K/
https://ubuntu.com/security/notices/USN-5910-1
========================

Updated packages in core/updates_testing:
========================
ruby-rack-2.2.3.1-1.1.mga8
ruby-rack-doc-2.2.3.1-1.1.mga8

from SRPM:
ruby-rack-2.2.3.1-1.1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Version: Cauldron => 8
Source RPM: ruby-rack-2.2.4-1.mga9.src.rpm => ruby-rack-2.2.3.1-1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 2.2.6.2 => (none)

Comment 5 David Walser 2023-03-15 15:36:57 CET 
SUSE has issued an advisory on March 14:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014032.html

The issue is fixed upstream in 2.2.6.3.

Mageia 8 is also affected.

Status comment: (none) => Fixed upstream in 2.2.6.3
Version: 8 => Cauldron
Summary: ruby-rack new security issues CVE-2022-4457[0-2] => ruby-rack new security issues CVE-2022-4457[0-2] and CVE-2023-27530
Whiteboard: (none) => MGA8TOO
Assignee: qa-bugs => pterjan

Comment 6 Nicolas Salguero 2023-03-16 14:15:45 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted. (CVE-2022-44570)

There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted. (CVE-2022-44571)

A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. (CVE-2022-44572)

A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected. (CVE-2023-27530)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
https://www.debian.org/lts/security/2023/dla-3298
https://lists.suse.com/pipermail/sle-security-updates/2023-February/013629.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFU3ZHNAUDV7V7P7HFAAT4TJIHOMW5K/
https://ubuntu.com/security/notices/USN-5910-1
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014032.html
========================

Updated packages in core/updates_testing:
========================
ruby-rack-2.2.3.1-1.2.mga8
ruby-rack-doc-2.2.3.1-1.2.mga8

from SRPM:
ruby-rack-2.2.3.1-1.2.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: pterjan => qa-bugs
Status comment: Fixed upstream in 2.2.6.3 => (none)

Comment 7 Len Lawrence 2023-03-19 23:03:33 CET 
Mageia8, x86_64

Core packages already installed.
$ sudo gem install thin
Ran some basic tests as on other rack bugs.
Detached thin web server worked.

Updated the two packages.
Restarted the thin server.edit config.rb

$ ruby hello.rb &
[1] 1093061
$ 2023-03-19 21:04:58 +0000 Thin web server (v1.8.1 codename Infinite Smoothie)
2023-03-19 21:04:58 +0000 Maximum connections set to 1024
2023-03-19 21:04:58 +0000 Listening on localhost:8080, CTRL+C to stop

"Hello world" at localhost:8080/ in a browser.

Used Pascal's test from bug 23813.
It crashed when run as a .rb script, presumably because the interpreter got in first and reported the run method missing.
$ cat test.ru
run  ->(env){ ['200', {'Content-Type' => 'text/html'}, ["get rack\'d\n"]] }
$ rackup test.ru &
[1] 1098897
$ 2023-03-19 21:34:52 +0000 Thin web server (v1.8.1 codename Infinite Smoothie)
2023-03-19 21:34:52 +0000 Maximum connections set to 1024
2023-03-19 21:34:52 +0000 Listening on localhost:9292, CTRL+C to stop
127.0.0.1 - - [19/Mar/2023:21:34:57 +0000] "GET / HTTP/1.1" 200 11 0.0019
fg
rackup test.ru
^C2023-03-19 21:35:19 +0000 Stopping ...

The message "get rack'd" appeared at localhost:9292/
If rack is invoked within the script it can be run as a standard ruby file.
$ cat rackapp.rb
require 'rack'

app = ->( env ){
    ['200', {'Content-Type' => 'text/html'}, ['A barebones rack app.']]
}

Rack::Handler::WEBrick.run app
--------------------------------------------------------------------------
$ ruby rackapp.rb
[2023-03-19 21:52:46] INFO  WEBrick 1.6.1
[2023-03-19 21:52:46] INFO  ruby 2.7.7 (2022-11-24) [x86_64-linux]
[2023-03-19 21:52:46] INFO  WEBrick::HTTPServer#start: pid=1102247 port=8080

"A barebones rack app." at localhost:8080/

PoC test from bug 26952:
$ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))' 

{"%66oo"=>"baz", "foo"=>"bar"}

$ urpmq --whatrequires ruby-rack | sort -u
ruby-rack
ruby-rack-doc
ruby-rack-protection
ruby-rack-test
ruby-sinatra

sinatra is too complicated for this tester so this should pass on the basis of these few simple tests.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2023-03-19 23:16:41 CET 
Validating. Advisory in comment 6.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Note You need to log in before you can comment on or make changes to this bug.