Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 949642 (CVE-2025-25184)

Summary: <dev-ruby/rack-{2.2.11:2.2,3.0.12:3.0,3.1.10:3.1}: Log Injection vulnerability
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---

Description Hans de Graaff gentoo-dev Security 2025-02-12 06:27:23 UTC 
Summary

Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.


Details

When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes.

The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.


Impact

Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.
Comment 1 Larry the Git Cow gentoo-dev 2025-02-12 06:34:03 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe444acec441e7b597c0677c4c33b6b2e8cdd46c

commit fe444acec441e7b597c0677c4c33b6b2e8cdd46c
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2025-02-12 06:32:23 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2025-02-12 06:33:36 +0000

    dev-ruby/rack: add 2.2.11, 3.0.12, 3.1.10
    
    Bug: https://bugs.gentoo.org/949642
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/rack/Manifest           |  3 +++
 dev-ruby/rack/rack-2.2.11.ebuild | 57 ++++++++++++++++++++++++++++++++++++++++
 dev-ruby/rack/rack-3.0.12.ebuild | 45 +++++++++++++++++++++++++++++++
 dev-ruby/rack/rack-3.1.10.ebuild | 49 ++++++++++++++++++++++++++++++++++
 4 files changed, 154 insertions(+)