Bug 884795 (CVE-2022-30122, CVE-2022-30123)

Summary:	<dev-ruby/rack-2.2.3.1: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	ruby
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B1 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	885433
Bug Blocks:

Description John Helmert III archtester

2022-12-08 01:43:16 UTC

CVE-2022-30122 (https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729):

A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.

CVE-2022-30123 (https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728):

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.

Please stabilize 2.2.3.1.

Comment 1 John Helmert III archtester

2022-12-18 16:06:52 UTC

Please cleanup

Comment 2 Hans de Graaff gentoo-dev

2022-12-21 07:33:33 UTC

Cleanup done.

Comment 3 Larry the Git Cow gentoo-dev

2023-10-30 09:37:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4dc322e9cb35aab8ec56cc1286dd3340bfbb8af1

commit 4dc322e9cb35aab8ec56cc1286dd3340bfbb8af1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-30 09:36:59 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-30 09:37:39 +0000

    [ GLSA 202310-18 ] Rack: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/884795
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202310-18.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)