Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 670476 (CVE-2018-16470, CVE-2018-16471) - <dev-ruby/rack-1.6.11: DoS and XSS vulnerability (CVE-2018-16470, CVE-2018-16471)
Summary: <dev-ruby/rack-1.6.11: DoS and XSS vulnerability (CVE-2018-16470, CVE-2018-16...
Status: RESOLVED FIXED
Alias: CVE-2018-16470, CVE-2018-16471
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-06 11:11 UTC by Hans de Graaff
Modified: 2018-11-29 21:16 UTC (History)
1 user (show)

See Also:
Package list:
dev-ruby/rack-1.6.11
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2018-11-06 11:11:09 UTC
There is a possible DoS vulnerability in the multipart parser in Rack. This
vulnerability has been assigned the CVE identifier CVE-2018-16470.

Versions Affected:  2.0.4, 2.0.5
Not affected:       <= 2.0.3
Fixed Versions:     2.0.6

Impact
------
There is a possible DoS vulnerability in the multipart parser in Rack.
Carefully crafted requests can cause the multipart parser to enter a
pathological state, causing the parser to use CPU resources disproportionate to
the request size.

Impacted code can look something like this:

```
  Rack::Request.new(env).params
```

But any code that uses the multi-part parser may be vulnerable.

Rack users that have manually adjusted the buffer size in the multipart parser
may be vulnerable as well.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

There is a possible vulnerability in Rack. This vulnerability has been
assigned the CVE identifier CVE-2018-16471.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     2.0.6, 1.6.11

Impact
------
There is a possible XSS vulnerability in Rack.  Carefully crafted requests can
impact the data returned by the `scheme` method on `Rack::Request`.
Applications that expect the scheme to be limited to "http" or "https" and do
not escape the return value could be vulnerable to an XSS attack.

Vulnerable code looks something like this:

```
  <%= request.scheme.html_safe %>
```

Note that applications using the normal escaping mechanisms provided by Rails
may not impacted, but applications that bypass the escaping mechanisms, or do
not use them may be vulnerable.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The 2.0.6 and 1.6.11 releases are available at the normal locations.
Comment 1 Hans de Graaff gentoo-dev Security 2018-11-06 11:22:14 UTC
rack 1.6.11 and rack 2.0.6 are now available. I'd like to postpone stabling for a few days since we missed a lot of the intermediate 1.6.x releases.
Comment 2 Hans de Graaff gentoo-dev Security 2018-11-10 06:22:48 UTC
Please test and mark stable.
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-10 11:59:30 UTC
amd64 stable
Comment 4 Rolf Eike Beer archtester 2018-11-10 16:06:06 UTC
sparc stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-12 01:15:59 UTC
x86 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-17 16:02:12 UTC
arm stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-18 16:18:11 UTC
ia64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-18 16:26:24 UTC
hppa stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-18 16:29:48 UTC
ppc stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-18 16:33:05 UTC
ppc64 stable
Comment 11 Larry the Git Cow gentoo-dev 2018-11-28 16:04:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a9b3fad02e5c0ef8bcfaf0ee094af520263ea5e2

commit a9b3fad02e5c0ef8bcfaf0ee094af520263ea5e2
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 16:04:29 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 16:04:40 +0000

    dev-ruby/rack-1.6.11-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/670476
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-ruby/rack/rack-1.6.11.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2018-11-28 16:11:09 UTC
Stable on alpha.
Comment 13 Hans de Graaff gentoo-dev Security 2018-11-29 07:33:00 UTC
Cleanup done.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2018-11-29 21:16:49 UTC
(In reply to Hans de Graaff from comment #13)
> Cleanup done.

Thanks, Hans!

GLSA Vote: No