Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 724800 (CVE-2020-11076, CVE-2020-11077)

Summary: <www-servers/puma-{3.12.5-r1,4.3.4-r1}: Multiple vulnerabilities (CVE-2020-{11076,11077})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, ruby
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa cve]
Package list:
www-servers/puma-3.12.5-r1
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-23 17:26:06 UTC
* CVE-2020-11076

Description:
"In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4."

Advisory: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h

* CVE-2020-11077

Description:
"In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5."

Advisory: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-23 17:26:54 UTC
@maintainer(s), please bump to 4.3.5/3.12.6.
Comment 2 John Helmert III gentoo-dev Security 2020-07-19 02:04:43 UTC
(In reply to Sam James from comment #1)
> @maintainer(s), please bump to 4.3.5/3.12.6.

Have they been released?

puma $ git tag -l | grep 3.12
v3.12.0
v3.12.1
v3.12.2
v3.12.3
v3.12.4
v3.12.5
puma $ git tag -l | grep 4.3
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
Comment 3 Hans de Graaff gentoo-dev 2020-07-19 08:36:06 UTC
(In reply to John Helmert III (ajak) from comment #2)
> (In reply to Sam James from comment #1)
> > @maintainer(s), please bump to 4.3.5/3.12.6.
> 
> Have they been released?

They are released on rubygems: https://rubygems.org/gems/puma/ but our ebuilds are based on the tagged versions in github since we want to run the test suite. I'll see if the changes can be backported.
Comment 4 Larry the Git Cow gentoo-dev 2020-07-19 09:29:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=866b1c92b435b1c6d03ed2e4dfb664a073ad089c

commit 866b1c92b435b1c6d03ed2e4dfb664a073ad089c
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2020-07-19 09:29:11 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2020-07-19 09:29:27 +0000

    www-servers/puma: backport CVE-2020-11077 fixes
    
    Upstream created releases but did not tag them so we cannot
    use them for our ebuilds. Backport the patches to address the security
    issue.
    
    Bug: https://bugs.gentoo.org/724800
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 .../puma/files/puma-3.12.5-cve-2020-11077.patch    | 114 ++++++++++++++++++++
 .../puma/files/puma-4.3.4-cve-2020-11077.patch     | 115 +++++++++++++++++++++
 www-servers/puma/puma-3.12.5-r1.ebuild             |  71 +++++++++++++
 www-servers/puma/puma-4.3.4-r1.ebuild              |  75 ++++++++++++++
 4 files changed, 375 insertions(+)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-19 11:34:09 UTC
(In reply to Hans de Graaff from comment #3)
> (In reply to John Helmert III (ajak) from comment #2)
> > (In reply to Sam James from comment #1)
> > > @maintainer(s), please bump to 4.3.5/3.12.6.
> > 
> > Have they been released?
> 
> They are released on rubygems: https://rubygems.org/gems/puma/ but our
> ebuilds are based on the tagged versions in github since we want to run the
> test suite. I'll see if the changes can be backported.

Thank you for doing that. Let us know when it's ready for stabilisation.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-05 18:13:27 UTC
ping, ready to stable?
Comment 7 Agostino Sarubbo gentoo-dev 2020-08-11 11:00:48 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-08-12 06:01:42 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-12 06:14:28 UTC
GLSA vote: no
Comment 10 Hans de Graaff gentoo-dev 2020-08-13 19:15:32 UTC
Cleanup done.
Comment 11 NATTkA bot gentoo-dev 2020-08-13 19:16:27 UTC
Unable to check for sanity:

> no match for package: www-servers/puma-3.12.5-r1
Comment 12 John Helmert III gentoo-dev Security 2020-08-13 23:01:50 UTC
(In reply to Hans de Graaff from comment #10)
> Cleanup done.

Thanks! noglsa, all done.
Comment 13 John Helmert III gentoo-dev Security 2020-08-13 23:14:24 UTC
Oops, had to be reverted. :(

https://qa-reports.gentoo.org/output/gentoo-ci/e816065322/output.html

commit b843f088a13cf821b48c650e46224c2291bb1a87
Author: Thomas Deutschmann <whissi@gentoo.org>
Date:   Fri Aug 14 01:09:28 2020 +0200

    Revert "www-servers/puma: cleanup"

    This reverts commit cada7bf5534e62ad776c0eccdd82d08219e0483c.

    Removed www-servers/puma versions are still needed by

    - dev-ruby/actionpack
    - dev-ruby/capybara
    - dev-ruby/patron

    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 create mode 100644 www-servers/puma/puma-3.12.4.ebuild
 create mode 100644 www-servers/puma/puma-3.12.5-r1.ebuild
 create mode 100644 www-servers/puma/puma-4.3.3.ebuild
 create mode 100644 www-servers/puma/puma-4.3.4.ebuild
Comment 14 Hans de Graaff gentoo-dev 2020-08-15 05:43:02 UTC
Correct cleanup now done. Sorry for the additional noise.
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 05:45:31 UTC
(In reply to Hans de Graaff from comment #14)
> Correct cleanup now done. Sorry for the additional noise.

You maintain a large number of packages, always responsive, and are as quick as you can be with us regularly. The odd mistake doesn't matter at all!

All done, thanks!