--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: buster-pu: package ruby2.5/2.5.5-3+deb10u3
- From: Utkarsh Gupta <utkarsh@debian.org>
- Date: Tue, 13 Oct 2020 18:50:51 +0530
- Message-id: <CAPP0f95kqgDcLNi7VXiZF2AhhcmHpAVKD=ML7b-Uc=YC=TTSAg@mail.gmail.com>
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
X-Debbugs-CC: debian-ruby@lists.debian.org
Severity: normal
Hello,
ruby2.5 was affected by CVE-2020-25613, where WEBrick, a simple HTTP
server bundled with Ruby, had not checked the transfer-encoding header
value rigorously.
This has been fixed in Sid, Bullseye, and Stretch.
Here's the debdiff for buster-pu:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<
diff -Nru ruby2.5-2.5.5/debian/changelog ruby2.5-2.5.5/debian/changelog
--- ruby2.5-2.5.5/debian/changelog 2020-07-04 00:07:58.000000000 +0530
+++ ruby2.5-2.5.5/debian/changelog 2020-10-13 18:32:32.000000000 +0530
@@ -1,3 +1,10 @@
+ruby2.5 (2.5.5-3+deb10u3) buster; urgency=high
+
+ * Add patch to fix a potential HTTP request smuggling
+ vulnerability in WEBrick. (Fixes: CVE-2020-25613)
+
+ -- Utkarsh Gupta <utkarsh@debian.org> Tue, 13 Oct 2020 18:32:32 +0530
+
ruby2.5 (2.5.5-3+deb10u2) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch
ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch
--- ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch 1970-01-01
05:30:00.000000000 +0530
+++ ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch 2020-10-13
18:31:51.000000000 +0530
@@ -0,0 +1,30 @@
+From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001
+From: Yusuke Endoh <mame@ruby-lang.org>
+Date: Tue, 29 Sep 2020 13:15:58 +0900
+Subject: [PATCH] Make it more strict to interpret some headers
+
+Some regexps were too tolerant.
+
+--- a/lib/webrick/httprequest.rb
++++ b/lib/webrick/httprequest.rb
+@@ -226,9 +226,9 @@
+ raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
+ end
+
+- if /close/io =~ self["connection"]
++ if /\Aclose\z/io =~ self["connection"]
+ @keep_alive = false
+- elsif /keep-alive/io =~ self["connection"]
++ elsif /\Akeep-alive\z/io =~ self["connection"]
+ @keep_alive = true
+ elsif @http_version < "1.1"
+ @keep_alive = false
+@@ -475,7 +475,7 @@
+ return unless socket
+ if tc = self['transfer-encoding']
+ case tc
+- when /chunked/io then read_chunked(socket, block)
++ when /\Achunked\z/io then read_chunked(socket, block)
+ else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
+ end
+ elsif self['content-length'] || @remaining_size
diff -Nru ruby2.5-2.5.5/debian/patches/series
ruby2.5-2.5.5/debian/patches/series
--- ruby2.5-2.5.5/debian/patches/series 2020-07-04 00:06:34.000000000 +0530
+++ ruby2.5-2.5.5/debian/patches/series 2020-10-13 18:32:04.000000000 +0530
@@ -15,3 +15,4 @@
0015-lib-shell-command-processor.rb-Shell-prevent-unknown.patch
CVE-2020-10933.patch
CVE-2020-10663.patch
+CVE-2020-25613.patch
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<
- u
---
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---