Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 883679 (CVE-2022-45442)

Summary: <dev-ruby/sinatra-{2.2.3,3.0.4}: reflected file download
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 884241    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-29 23:38:55 UTC 
CVE-2022-45442:

Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.

Please bump to 2.2.3 and 3.0.4.
Comment 1 Larry the Git Cow gentoo-dev 2022-12-03 11:04:01 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ceb938c24ffb8a569b4ce0c42849d3f255fb296e

commit ceb938c24ffb8a569b4ce0c42849d3f255fb296e
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2022-12-03 11:01:22 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2022-12-03 11:03:57 +0000

    dev-ruby/sinatra: add 2.2.3, 3.0.4
    
    Bug: https://bugs.gentoo.org/883679
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/sinatra/Manifest             |  2 ++
 dev-ruby/sinatra/sinatra-2.2.3.ebuild | 34 ++++++++++++++++++++++++++++++++++
 dev-ruby/sinatra/sinatra-3.0.4.ebuild | 34 ++++++++++++++++++++++++++++++++++
 3 files changed, 70 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-03 18:51:46 UTC 
Please stabilize when ready.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-04 18:40:31 UTC 
No GLSA, seems a bit esoteric to exploit and seemingly low impact anyway. Please cleanup.
Comment 4 Hans de Graaff gentoo-dev Security 2024-05-28 04:44:07 UTC 
commit 440dcec01b4d61d587f64672d20c0514d866e75e
Author: Hans de Graaff <graaff@gentoo.org>
Date:   Tue Jun 13 12:03:25 2023 +0200

    dev-ruby/sinatra: drop 3.0.2, 3.0.4