Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: buster X-Debbugs-CC: debian-r...@lists.debian.org Severity: normal
Hello, ruby2.5 was affected by CVE-2020-25613, where WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. This has been fixed in Sid, Bullseye, and Stretch. Here's the debdiff for buster-pu: 8<------8<------8<------8<------8<------8<------8<------8<------8<------8< diff -Nru ruby2.5-2.5.5/debian/changelog ruby2.5-2.5.5/debian/changelog --- ruby2.5-2.5.5/debian/changelog 2020-07-04 00:07:58.000000000 +0530 +++ ruby2.5-2.5.5/debian/changelog 2020-10-13 18:32:32.000000000 +0530 @@ -1,3 +1,10 @@ +ruby2.5 (2.5.5-3+deb10u3) buster; urgency=high + + * Add patch to fix a potential HTTP request smuggling + vulnerability in WEBrick. (Fixes: CVE-2020-25613) + + -- Utkarsh Gupta <utka...@debian.org> Tue, 13 Oct 2020 18:32:32 +0530 + ruby2.5 (2.5.5-3+deb10u2) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch --- ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch 1970-01-01 05:30:00.000000000 +0530 +++ ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch 2020-10-13 18:31:51.000000000 +0530 @@ -0,0 +1,30 @@ +From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001 +From: Yusuke Endoh <m...@ruby-lang.org> +Date: Tue, 29 Sep 2020 13:15:58 +0900 +Subject: [PATCH] Make it more strict to interpret some headers + +Some regexps were too tolerant. + +--- a/lib/webrick/httprequest.rb ++++ b/lib/webrick/httprequest.rb +@@ -226,9 +226,9 @@ + raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'." + end + +- if /close/io =~ self["connection"] ++ if /\Aclose\z/io =~ self["connection"] + @keep_alive = false +- elsif /keep-alive/io =~ self["connection"] ++ elsif /\Akeep-alive\z/io =~ self["connection"] + @keep_alive = true + elsif @http_version < "1.1" + @keep_alive = false +@@ -475,7 +475,7 @@ + return unless socket + if tc = self['transfer-encoding'] + case tc +- when /chunked/io then read_chunked(socket, block) ++ when /\Achunked\z/io then read_chunked(socket, block) + else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}." + end + elsif self['content-length'] || @remaining_size diff -Nru ruby2.5-2.5.5/debian/patches/series ruby2.5-2.5.5/debian/patches/series --- ruby2.5-2.5.5/debian/patches/series 2020-07-04 00:06:34.000000000 +0530 +++ ruby2.5-2.5.5/debian/patches/series 2020-10-13 18:32:04.000000000 +0530 @@ -15,3 +15,4 @@ 0015-lib-shell-command-processor.rb-Shell-prevent-unknown.patch CVE-2020-10933.patch CVE-2020-10663.patch +CVE-2020-25613.patch 8<------8<------8<------8<------8<------8<------8<------8<------8<------8< - u --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled