Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 949413 (CVE-2025-25186) - <dev-ruby/net-imap-{0.4.19:0.4,0.5.6:0.5}: Denial of Service
Summary: <dev-ruby/net-imap-{0.4.19:0.4,0.5.6:0.5}: Denial of Service
Status: CONFIRMED
Alias: CVE-2025-25186
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/ruby/net-imap/rele...
Whiteboard: C3 [glsa?]
Keywords:
Depends on: 949829
Blocks:
  Show dependency tree
 
Reported: 2025-02-08 06:22 UTC by Hans de Graaff
Modified: 2025-03-26 04:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2025-02-08 06:22:30 UTC 
Security Fix

Fixes CVE-2025-25186 (GHSA-7fc5-f82f-cx69): A malicious server can exhaust client memory by sending APPENDUID or COPYUID responses with very large uid-set ranges. Net::IMAP::UIDPlusData expands these ranges into arrays of integers.
Fix with minor API changes

Set config.parser_use_deprecated_uidplus_data to false to replace UIDPlusData with AppendUIDData and CopyUIDData. These classes store their UIDs as Net::IMAP::SequenceSet objects (not expanded into arrays of integers). Code that does not handle APPENDUID or COPYUID responses should not see any difference. Code that does handle these responses may need to be updated.

For v0.3.8, this option is not available
For v0.4.19, the default value is true.
For v0.5.6, the default value is :up_to_max_size.
For v0.6.0, the only allowed value will be false (UIDPlusData will be removed from v0.6).
Mitigate with backward compatible API

Adjust config.parser_max_deprecated_uidplus_data_size to limit the maximum UIDPlusData UID set size.
When config.parser_use_deprecated_uidplus_data == true, larger sets will crash.
When config.parser_use_deprecated_uidplus_data == :up_to_max_size, larger sets will use AppendUIDData or CopyUIDData.

For v0.3,8, this limit is hard-coded to 10,000.
For v0.4.19, this limit defaults to 1000.
For v0.5.6, this limit defaults to 100.
For v0.6.0, the only allowed value will be 0 (UIDPlusData will be removed from v0.6).
Comment 1 Larry the Git Cow gentoo-dev 2025-03-23 14:34:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff4fd4fd7f4a4fedb9465054a474818344fd0930

commit ff4fd4fd7f4a4fedb9465054a474818344fd0930
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2025-03-23 14:32:49 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2025-03-23 14:34:01 +0000

    dev-ruby/net-imap: drop 0.4.17, 0.5.5
    
    Bug: https://bugs.gentoo.org/949413
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/net-imap/Manifest               |  2 --
 dev-ruby/net-imap/net-imap-0.4.17.ebuild | 39 -----------------------------
 dev-ruby/net-imap/net-imap-0.5.5.ebuild  | 42 --------------------------------
 3 files changed, 83 deletions(-)