Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 882893 (CVE-2021-33621)

Summary: <dev-lang/ruby-{2.7.7,3.0.5,3.1.3}: HTTP response splitting in CGI
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=888755
Whiteboard: A4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 883137    
Bug Blocks:    

Description Hans de Graaff gentoo-dev Security 2022-11-25 06:04:18 UTC 
Details

If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body.

Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think such applications are unlikely, but we have included a change to check arguments for CGI::Cookie#initialize preventatively.


We do not package dev-ruby/cgi, but this gem is a default (bundled) gem in dev-lang/ruby. Fixed versions:

dev-lang/ruby-2.7.7
dev-lang/ruby-3.0.5
dev-lang/ruby-3.1.3
Comment 1 Hans de Graaff gentoo-dev Security 2022-11-25 06:22:41 UTC 
These versions are now in the gentoo repo:

dev-lang/ruby-2.7.7
dev-lang/ruby-3.0.5
dev-lang/ruby-3.1.3
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-02 17:38:59 UTC 
Please cleanup
Comment 3 Hans de Graaff gentoo-dev Security 2022-12-03 15:51:23 UTC 
Cleanup done.
Comment 4 Larry the Git Cow gentoo-dev 2024-01-24 04:08:01 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=aea6781bb25fe500e38a2cfce23bf166d29cbf48

commit aea6781bb25fe500e38a2cfce23bf166d29cbf48
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-24 04:04:06 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-01-24 04:06:47 +0000

    [ GLSA 202401-27 ] Ruby: Multiple vulnerabilities
    
    Bug: https://bugs.gentoo.org/747007
    Bug: https://bugs.gentoo.org/801061
    Bug: https://bugs.gentoo.org/827251
    Bug: https://bugs.gentoo.org/838073
    Bug: https://bugs.gentoo.org/882893
    Bug: https://bugs.gentoo.org/903630
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202401-27.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)