Bug#972161: marked as done (buster-pu: package ruby2.5/2.5.5-3+deb10u3)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#972161: marked as done (buster-pu: package ruby2.5/2.5.5-3+deb10u3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 05 Dec 2020 11:06:38 +0000
Message-id: <[🔎] handler.972161.D972161.160716616616961.ackdone@bugs.debian.org>
Reply-to: 972161@bugs.debian.org
References: <b70f86aac27195271a9b5212c7acc936da6ff100.camel@adam-barratt.org.uk> <CAPP0f95kqgDcLNi7VXiZF2AhhcmHpAVKD=ML7b-Uc=YC=TTSAg@mail.gmail.com>

Your message dated Sat, 05 Dec 2020 11:02:00 +0000
with message-id <b70f86aac27195271a9b5212c7acc936da6ff100.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates in 10.7 point release
has caused the Debian Bug report #972161,
regarding buster-pu: package ruby2.5/2.5.5-3+deb10u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
972161: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972161
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: buster-pu: package ruby2.5/2.5.5-3+deb10u3
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Tue, 13 Oct 2020 18:50:51 +0530
Message-id: <CAPP0f95kqgDcLNi7VXiZF2AhhcmHpAVKD=ML7b-Uc=YC=TTSAg@mail.gmail.com>

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
X-Debbugs-CC: debian-ruby@lists.debian.org
Severity: normal

Hello,

ruby2.5 was affected by CVE-2020-25613, where WEBrick, a simple HTTP
server bundled with Ruby, had not checked the transfer-encoding header
value rigorously.

This has been fixed in Sid, Bullseye, and Stretch.
Here's the debdiff for buster-pu:

8<------8<------8<------8<------8<------8<------8<------8<------8<------8<

diff -Nru ruby2.5-2.5.5/debian/changelog ruby2.5-2.5.5/debian/changelog
--- ruby2.5-2.5.5/debian/changelog    2020-07-04 00:07:58.000000000 +0530
+++ ruby2.5-2.5.5/debian/changelog    2020-10-13 18:32:32.000000000 +0530
@@ -1,3 +1,10 @@
+ruby2.5 (2.5.5-3+deb10u3) buster; urgency=high
+
+  * Add patch to fix a potential HTTP request smuggling
+    vulnerability in WEBrick. (Fixes: CVE-2020-25613)
+
+ -- Utkarsh Gupta <utkarsh@debian.org>  Tue, 13 Oct 2020 18:32:32 +0530
+
 ruby2.5 (2.5.5-3+deb10u2) buster-security; urgency=high

   * Non-maintainer upload by the Security Team.
diff -Nru ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch
ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch
--- ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch    1970-01-01
05:30:00.000000000 +0530
+++ ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch    2020-10-13
18:31:51.000000000 +0530
@@ -0,0 +1,30 @@
+From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001
+From: Yusuke Endoh <mame@ruby-lang.org>
+Date: Tue, 29 Sep 2020 13:15:58 +0900
+Subject: [PATCH] Make it more strict to interpret some headers
+
+Some regexps were too tolerant.
+
+--- a/lib/webrick/httprequest.rb
++++ b/lib/webrick/httprequest.rb
+@@ -226,9 +226,9 @@
+         raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
+       end
+
+-      if /close/io =~ self["connection"]
++      if /\Aclose\z/io =~ self["connection"]
+         @keep_alive = false
+-      elsif /keep-alive/io =~ self["connection"]
++      elsif /\Akeep-alive\z/io =~ self["connection"]
+         @keep_alive = true
+       elsif @http_version < "1.1"
+         @keep_alive = false
+@@ -475,7 +475,7 @@
+       return unless socket
+       if tc = self['transfer-encoding']
+         case tc
+-        when /chunked/io then read_chunked(socket, block)
++        when /\Achunked\z/io then read_chunked(socket, block)
+         else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
+         end
+       elsif self['content-length'] || @remaining_size
diff -Nru ruby2.5-2.5.5/debian/patches/series
ruby2.5-2.5.5/debian/patches/series
--- ruby2.5-2.5.5/debian/patches/series    2020-07-04 00:06:34.000000000 +0530
+++ ruby2.5-2.5.5/debian/patches/series    2020-10-13 18:32:04.000000000 +0530
@@ -15,3 +15,4 @@
 0015-lib-shell-command-processor.rb-Shell-prevent-unknown.patch
 CVE-2020-10933.patch
 CVE-2020-10663.patch
+CVE-2020-25613.patch

8<------8<------8<------8<------8<------8<------8<------8<------8<------8<

- u
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

To: 963340-done@bugs.debian.org, 970518-done@bugs.debian.org, 970655-done@bugs.debian.org, 970816-done@bugs.debian.org, 970999-done@bugs.debian.org, 971062-done@bugs.debian.org, 971277-done@bugs.debian.org, 971392-done@bugs.debian.org, 971685-done@bugs.debian.org, 971807-done@bugs.debian.org, 971808-done@bugs.debian.org, 971809-done@bugs.debian.org, 971866-done@bugs.debian.org, 971869-done@bugs.debian.org, 971915-done@bugs.debian.org, 971944-done@bugs.debian.org, 971954-done@bugs.debian.org, 972001-done@bugs.debian.org, 972115-done@bugs.debian.org, 972161-done@bugs.debian.org, 972183-done@bugs.debian.org, 972310-done@bugs.debian.org, 972351-done@bugs.debian.org, 972389-done@bugs.debian.org, 972651-done@bugs.debian.org, 972694-done@bugs.debian.org, 972796-done@bugs.debian.org, 972814-done@bugs.debian.org, 972839-done@bugs.debian.org, 972903-done@bugs.debian.org, 972963-done@bugs.debian.org, 973655-done@bugs.debian.org, 973695-done@bugs.debian.org, 973917-done@bugs.debian.org, 974695-done@bugs.debian.org, 975086-done@bugs.debian.org, 975297-done@bugs.debian.org, 975425-done@bugs.debian.org, 975514-done@bugs.debian.org, 975616-done@bugs.debian.org, 975837-done@bugs.debian.org, 975870-done@bugs.debian.org, 975874-done@bugs.debian.org, 975975-done@bugs.debian.org, 976018-done@bugs.debian.org, 976019-done@bugs.debian.org

Subject: Closing bugs for updates in 10.7 point release

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 05 Dec 2020 11:02:00 +0000

Message-id: <b70f86aac27195271a9b5212c7acc936da6ff100.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 10.7

Hi,

Each of the updates referenced by these bugs was included in this
morning's buster 10.7 point release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#972001: marked as done (buster-pu: package tzdata/2020b-0+deb10u1)
Next by Date: Bug#971954: marked as done (buster-pu: package libdatetime-timezone-perl/1:2.23-1+2020b)
Previous by thread: Bug#972001: marked as done (buster-pu: package tzdata/2020b-0+deb10u1)
Next by thread: Bug#971954: marked as done (buster-pu: package libdatetime-timezone-perl/1:2.23-1+2020b)
Index(es):
- Date
- Thread