Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 730786 (CVE-2020-8184) - <dev-ruby/rack-2.2.3: Percent-encoded cookies can be used to overwrite existing prefixed cookie names (CVE-2020-8184)
Summary: <dev-ruby/rack-2.2.3: Percent-encoded cookies can be used to overwrite existi...
Status: RESOLVED FIXED
Alias: CVE-2020-8184
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on: 692324 761897
Blocks: CVE-2020-8161
  Show dependency tree
 
Reported: 2020-07-05 07:58 UTC by Hans de Graaff
Modified: 2021-02-22 02:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2020-07-05 07:58:36 UTC
Percent-encoded cookies can be used to overwrite existing prefixed cookie names

It is possible to forge a secure or host-only cookie prefix in Rack using
an arbitrary cookie write by using URL encoding (percent-encoding) on the 
name of the cookie. This could result in an application that is dependent on
this prefix to determine if a cookie is safe to process being manipulated
into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.

Versions Affected:  rack < 2.2.3, rack < 2.1.4
Not affected:       Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process
Fixed Versions:     rack >= 2.2.3, rack >= 2.1.4

Impact
------

An attacker may be able to trick a vulnerable application into processing an 
insecure (non-SSL) or cross-origin request if they can gain the ability to write
arbitrary cookies that are sent to the application.

Releases
--------

The fixed releases are available on RubyGems.

Workarounds
-----------

If your application is impacted but you cannot upgrade to the released versions or apply
the provided patch, this issue can be temporarily addressed by adding the following workaround:

module Rack
  module Utils
    module_function def parse_cookies_header(header)
      return {} unless header
      header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
        next if cookie.empty?
        key, value = cookie.split('=', 2)
        cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
      end
    end
  end
end
Comment 1 Hans de Graaff gentoo-dev 2020-07-05 08:01:37 UTC
dev-ruby/rack-2.1.4 and dev-ruby/rack-2.2.3 have been added.
Comment 2 Sergei Trofimovich gentoo-dev 2020-07-06 07:31:41 UTC
ppc/ppc64 stable
Comment 3 Rolf Eike Beer 2020-07-07 13:34:06 UTC
sparc stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-07-09 08:07:09 UTC
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-07-09 09:05:06 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-07-17 07:23:17 UTC
amd64 stable
Comment 7 Rolf Eike Beer 2020-07-22 15:34:33 UTC
hppa stable
Comment 8 Hans de Graaff gentoo-dev 2020-07-23 07:24:48 UTC
Cleanup is currently on hold as we still have some packages that depend on the old slots (notable dev-ruby/bcat and dev-ruby/faraday).
Comment 9 Sam James archtester gentoo-dev Security 2020-07-23 19:50:49 UTC
(In reply to Hans de Graaff from comment #8)
> Cleanup is currently on hold as we still have some packages that depend on
> the old slots (notable dev-ruby/bcat and dev-ruby/faraday).

Thanks. Is there a bug to block on or just wait for you to let us know?
Comment 10 Sam James archtester gentoo-dev Security 2020-07-23 19:51:08 UTC
(XSS => noglsa).
Comment 11 John Helmert III gentoo-dev Security 2020-09-19 01:19:42 UTC
dev-ruby/bcat was treecleaned and dev-ruby/faraday doesn't appear to depend on slotted rack, are we able to cleanup here now?
Comment 12 Hans de Graaff gentoo-dev 2020-09-19 06:11:25 UTC
(In reply to John Helmert III (ajak) from comment #11)
> dev-ruby/bcat was treecleaned and dev-ruby/faraday doesn't appear to depend
> on slotted rack, are we able to cleanup here now?

Unfortunately not. It turns out that there are more dependencies out there. I have fixed a number of these today and as far as I can tell now the only remaining blocker is sinatra.

Current status:

rack 1.6: now masked for removal.
rack 2.0: pending sinatra-2.0.8.1 removal which depends on bug 692324
rack 2.1: pending sinatra-2.1.0 stable (added 2020-09-19, needs some time in testing)
Comment 13 NATTkA bot gentoo-dev 2020-12-15 02:41:03 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 14 Hans de Graaff gentoo-dev 2020-12-29 10:49:18 UTC
The remaining insecure rack slot have now been masked for removal:

# Hans de Graaff <graaff@gentoo.org> (2020-12-29)
# These slots masked for removal in 30 days due to
# security issues, bug 730786
# Use a newer slot instead.
dev-ruby/rack:2.0
dev-ruby/rack:2.1
Comment 15 John Helmert III gentoo-dev Security 2021-02-22 02:55:20 UTC
Tree is clean, all done!