Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 747007 (CVE-2020-25613) - <dev-lang/ruby-{2.5.9,2.6.7,2.7.3}: HTTP Request Smuggling Vulnerability in WEBrick (CVE-2020-25613)
Summary: <dev-lang/ruby-{2.5.9,2.6.7,2.7.3}: HTTP Request Smuggling Vulnerability in W...
Status: IN_PROGRESS
Alias: CVE-2020-25613
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.ruby-lang.org/en/news/202...
Whiteboard: A4 [glsa? cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-07 07:01 UTC by filip ambroz
Modified: 2021-07-29 17:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-10-07 07:01:06 UTC
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

GitHub Commit:
https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7

Links:
https://nvd.nist.gov/vuln/detail/CVE-2020-25613
https://osint.geekcq.com/2020/10/06/cve-2020-25613/

Reproducible: Always
Comment 1 Hans de Graaff gentoo-dev 2020-10-09 08:00:53 UTC
dev-lang/ruby 2.7.2 has been added.

We do not package the webrick gem.

Upstream has not released new versions for the ruby 2.5 and 2.6 slots. I assume that this will be released shortly as well. If not then we can apply the patch sets from the referenced bug.
Comment 2 John Helmert III gentoo-dev Security 2021-07-24 17:50:30 UTC
Ruby 2.5 patch: d6d2f179b02855ce07e8a114b3611dfc1f590986
Ruby 2.6 patch: 8b49c3e4bc767bec8a66ac81cbda033330fb2703
Ruby 2.7 patch: 48ac73769772317d6c3f864f087ef930a47120d9

ruby $ git tag --contains d6d2f179b02855ce07e8a114b3611dfc1f590986
v2_5_9

ruby $ git tag --contains 8b49c3e4bc767bec8a66ac81cbda033330fb2703
v2_6_7
v2_6_8

ruby $ git tag --contains 48ac73769772317d6c3f864f087ef930a47120d9
v2_7_3
v2_7_4

3.0.0 is unaffected (it's always had the patch). Just waiting for 2.5 cleanup here now, removal in a couple weeks.
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:25:47 UTC
Package list is empty or all packages have requested keywords.