Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 827251 (CVE-2021-41816, CVE-2021-41817, CVE-2021-41819) - <dev-lang/ruby-{2.6.9, 2.7.5, 3.0.3}: multiple vulnerabilities (CVE-2021-{41816,41817,41819})
Summary: <dev-lang/ruby-{2.6.9, 2.7.5, 3.0.3}: multiple vulnerabilities (CVE-2021-{418...
Status: IN_PROGRESS
Alias: CVE-2021-41816, CVE-2021-41817, CVE-2021-41819
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.ruby-lang.org/en/news/202...
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 827831
Blocks:
  Show dependency tree
 
Reported: 2021-11-25 07:42 UTC by Hans de Graaff
Modified: 2021-12-06 02:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2021-11-25 07:42:34 UTC
CVE-2021-41816: Buffer Overrun in CGI.escape_html

A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been assigned the CVE identifier CVE-2021-41816. We strongly recommend upgrading Ruby.
Details

A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows.

Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile. Alternatively, please update Ruby to 2.7.5 or 3.0.3.

This issue has been introduced since Ruby 2.7, so the cgi version bundled with Ruby 2.6 is not vulnerable.
Affected versions

    cgi gem 0.1.0 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5)
    cgi gem 0.2.0 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3)
    cgi gem 0.3.0 or prior



CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods

We have released date gem version 3.2.1, 3.1.2, 3.0.2, and 2.0.1 that include a security fix for a regular expression denial of service vulnerability (ReDoS) on date parsing methods. An attacker can exploit this vulnerability to cause an effective DoS attack. This vulnerability has been assigned the CVE identifier CVE-2021-41817.
Details

Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.

The fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing limit keywords as nil like Date.parse(str, limit: nil), but note that it may take a long time to parse.

Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You can use gem update date to update it. If you are using bundler, please add gem "date", ">= 3.2.1" to your Gemfile. Alternatively, you can update Ruby to 3.0.3, 2.7.5, 2.6.9 or later.
Affected versions

    date gem 2.0.0 or prior (which are bundled versions with Ruby 2.6 series prior to Ruby 2.6.9)
    date gem 3.0.1 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5)
    date gem 3.1.1 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3)
    date gem 3.2.0 or prior



CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse

A cookie prefix spoofing vulnerability was discovered in CGI::Cookie.parse. This vulnerability has been assigned the CVE identifier CVE-2021-41819. We strongly recommend upgrading Ruby.
Details

The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.

This is the same issue of CVE-2020-8184.

If you are using Ruby 2.7 or 3.0:

    Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile.
    Alternatively, please update Ruby to 2.7.5 or 3.0.3.

If you are using Ruby 2.6:

    Please update Ruby to 2.6.9. You cannot use gem update cgi for Ruby 2.6 or prior.
Comment 1 Hans de Graaff gentoo-dev 2021-11-25 09:09:37 UTC
Fixed versions 2.6.9, 2.7.5, 3.0.3 have been added.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-26 03:58:19 UTC
Thanks for filing the bug & adding so quickly. Let's stable quickly when you're comfortable.
Comment 3 Hans de Graaff gentoo-dev 2021-12-05 07:33:17 UTC
Cleanup done.