Bug 33075 - ruby-rack new security issues CVE-2024-25126, CVE-2024-26141 and CVE-2024-26146
Summary: ruby-rack new security issues CVE-2024-25126, CVE-2024-26141 and CVE-2024-26146
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-04-09 10:45 CEST by Nicolas Salguero
Modified: 2024-04-12 22:46 CEST (History)
3 users (show)

See Also:
Source RPM: ruby-rack-2.2.8-1.mga9.src.rpm
CVE: CVE-2024-25126, CVE-2024-26141, CVE-2024-26146
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-04-09 10:45:04 CEST 
SUSE has issued an advisory on April 8:
https://lwn.net/Articles/968993/

Those CVEs are fixed in versions 3.0.9.1 (for Cauldron) and 2.2.8.1 (for Mageia 9).
Nicolas Salguero 2024-04-09 10:45:38 CEST

Status comment: (none) => Fixed upstream in 3.0.9.1 and 2.2.8.1
Source RPM: (none) => ruby-rack-3.0.9-1.mga10.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-25126, CVE-2024-26141, CVE-2024-26146

Comment 1 Lewis Smith 2024-04-09 21:59:18 CEST 
Assigning to Pascal who commited 2.2.4  (for 2.2.8, not visible to me), and 3.0.9.

Source RPM: ruby-rack-3.0.9-1.mga10.src.rpm => ruby-rack-3.0.9-1.mga10.src.rpm, ruby-rack-2.2.8-1.mga9.src.rpm
Assignee: bugsquad => pterjan

Comment 2 Nicolas Salguero 2024-04-11 15:31:15 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). (CVE-2024-25126)

Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). (CVE-2024-26141)

Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. (CVE-2024-26146)

References:
https://lwn.net/Articles/968993/
========================

Updated packages in core/updates_testing:
========================
ruby-rack-2.2.8.1-1.mga9
ruby-rack-doc-2.2.8.1-1.mga9

from SRPM:
ruby-rack-2.2.8.1-1.mga9.src.rpm

Version: Cauldron => 9
Status comment: Fixed upstream in 3.0.9.1 and 2.2.8.1 => (none)
Assignee: pterjan => qa-bugs
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Source RPM: ruby-rack-3.0.9-1.mga10.src.rpm, ruby-rack-2.2.8-1.mga9.src.rpm => ruby-rack-2.2.8-1.mga9.src.rpm

katnatek 2024-04-12 00:56:10 CEST

Keywords: (none) => advisory

Comment 3 Len Lawrence 2024-04-12 08:17:28 CEST 
Taking this one on.  Researching the CVEs just now.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2024-04-12 11:54:05 CEST 
It seems that there is very little to report regarding the CVEs so it is best just to run the simple tests used in previous bugs such as bug 31739.

$ rpm -qa | grep ruby-rack
ruby-rack-2.2.8-1.mga9
ruby-rack-doc-2.2.8-1.mga9
ruby-rack-protection-3.0.4-1.mga9

$ ruby logging.rb
2024-04-12 10:40:30 +0100 Thin web server (v1.8.2 codename Ruby Razor)
2024-04-12 10:40:30 +0100 Maximum connections set to 1024
2024-04-12 10:40:30 +0100 Listening on localhost:8080, CTRL+C to stop

Checked localhost:8080/ in Firefox.
Hello World
App took 3 seconds.

Updated the two packages using qarepo then drakrpm-update.  No problem.
$ ruby rackapp.rb
[2024-04-12 10:48:26] INFO  WEBrick 1.8.1
[2024-04-12 10:48:26] INFO  ruby 3.1.4 (2023-03-30) [x86_64-linux]
[2024-04-12 10:48:26] INFO  WEBrick::HTTPServer#start: pid=1710964 port=8080
127.0.0.1 - - [12/Apr/2024:10:49:29 BST] "GET / HTTP/1.1" 200 21
- -> /

localhost:8080/ displayed:
A barebones rack app.

Basic functionality established.  OK for 64-bits.

Whiteboard: (none) => MGA9-64-OK

Comment 5 Len Lawrence 2024-04-12 11:55:07 CEST 
It seems that there is very little to report regarding the CVEs so it is best just to run the simple tests used in previous bugs such as bug 31739.

$ rpm -qa | grep ruby-rack
ruby-rack-2.2.8-1.mga9
ruby-rack-doc-2.2.8-1.mga9
ruby-rack-protection-3.0.4-1.mga9

$ ruby logging.rb
2024-04-12 10:40:30 +0100 Thin web server (v1.8.2 codename Ruby Razor)
2024-04-12 10:40:30 +0100 Maximum connections set to 1024
2024-04-12 10:40:30 +0100 Listening on localhost:8080, CTRL+C to stop

Checked localhost:8080/ in Firefox.
Hello World
App took 3 seconds.

Updated the two packages using qarepo then drakrpm-update.  No problem.
$ ruby rackapp.rb
[2024-04-12 10:48:26] INFO  WEBrick 1.8.1
[2024-04-12 10:48:26] INFO  ruby 3.1.4 (2023-03-30) [x86_64-linux]
[2024-04-12 10:48:26] INFO  WEBrick::HTTPServer#start: pid=1710964 port=8080
127.0.0.1 - - [12/Apr/2024:10:49:29 BST] "GET / HTTP/1.1" 200 21
- -> /

localhost:8080/ displayed:
A barebones rack app.

Basic functionality established.  OK for 64-bits.
Comment 6 Thomas Andrews 2024-04-12 14:24:16 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2024-04-12 22:46:00 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0123.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.