747007 – (CVE-2020-25613) <dev-lang/ruby-{2.5.9,2.6.7,2.7.3}: HTTP Request Smuggling Vulnerability in WEBrick (CVE-2020-25613)

Bug 747007 (CVE-2020-25613) - <dev-lang/ruby-{2.5.9,2.6.7,2.7.3}: HTTP Request Smuggling Vulnerability in WEBrick (CVE-2020-25613)

Summary: <dev-lang/ruby-{2.5.9,2.6.7,2.7.3}: HTTP Request Smuggling Vulnerability in W...

Status:	RESOLVED FIXED

Alias:	CVE-2020-25613

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://www.ruby-lang.org/en/news/202...
Whiteboard:	A4 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2020-10-07 07:01 UTC by filip ambroz
Modified:	2024-01-24 04:09 UTC (History)
CC List:	2 users (show)

See Also:	https://bugs.ruby-lang.org/issues/17201
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description filip ambroz 2020-10-07 07:01:06 UTC

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

GitHub Commit:
https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7

Links:
https://nvd.nist.gov/vuln/detail/CVE-2020-25613
https://osint.geekcq.com/2020/10/06/cve-2020-25613/

Reproducible: Always

Comment 1 Hans de Graaff gentoo-dev

2020-10-09 08:00:53 UTC

dev-lang/ruby 2.7.2 has been added.

We do not package the webrick gem.

Upstream has not released new versions for the ruby 2.5 and 2.6 slots. I assume that this will be released shortly as well. If not then we can apply the patch sets from the referenced bug.

Comment 2 John Helmert III archtester

2021-07-24 17:50:30 UTC

Ruby 2.5 patch: d6d2f179b02855ce07e8a114b3611dfc1f590986
Ruby 2.6 patch: 8b49c3e4bc767bec8a66ac81cbda033330fb2703
Ruby 2.7 patch: 48ac73769772317d6c3f864f087ef930a47120d9

ruby $ git tag --contains d6d2f179b02855ce07e8a114b3611dfc1f590986
v2_5_9

ruby $ git tag --contains 8b49c3e4bc767bec8a66ac81cbda033330fb2703
v2_6_7
v2_6_8

ruby $ git tag --contains 48ac73769772317d6c3f864f087ef930a47120d9
v2_7_3
v2_7_4

3.0.0 is unaffected (it's always had the patch). Just waiting for 2.5 cleanup here now, removal in a couple weeks.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:25:47 UTC

Package list is empty or all packages have requested keywords.

Comment 4 Larry the Git Cow gentoo-dev

2024-01-24 04:07:58 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=aea6781bb25fe500e38a2cfce23bf166d29cbf48

commit aea6781bb25fe500e38a2cfce23bf166d29cbf48
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-24 04:04:06 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-01-24 04:06:47 +0000

    [ GLSA 202401-27 ] Ruby: Multiple vulnerabilities
    
    Bug: https://bugs.gentoo.org/747007
    Bug: https://bugs.gentoo.org/801061
    Bug: https://bugs.gentoo.org/827251
    Bug: https://bugs.gentoo.org/838073
    Bug: https://bugs.gentoo.org/882893
    Bug: https://bugs.gentoo.org/903630
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202401-27.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)