Bug 1193080 (CVE-2021-41816)

Summary:	VUL-0: CVE-2021-41816: ruby, ruby2.1, ruby2.5, ruby2.7, ruby3.0: Buffer Overrun in CGI.escape_html
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Thomas Leroy <thomas.leroy>
Component:	Incidents	Assignee:	Marcus Rückert <mrueckert>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Thomas Leroy 2021-11-25 12:19:02 UTC

A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been assigned the CVE identifier CVE-2021-41816. We strongly recommend upgrading Ruby.

Details
A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows.

Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile. Alternatively, please update Ruby to 2.7.5 or 3.0.3.

This issue has been introduced since Ruby 2.7, so the cgi version bundled with Ruby 2.6 is not vulnerable.

Affected versions
cgi gem 0.1.0 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5)
cgi gem 0.2.0 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3)
cgi gem 0.3.0 or prior

Comment 1 Thomas Leroy 2021-11-25 13:06:07 UTC

References:
https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/

Upstream commit:
https://github.com/ruby/cgi/commit/c728632c1c09d46cfd4ecbff9caaa3651dd1002a

Comment 2 OBSbugzilla Bot 2021-11-25 13:40:16 UTC

This is an autogenerated message for OBS integration:
This bug (1193080) was mentioned in
https://build.opensuse.org/request/show/933749 Factory / ruby3.0
https://build.opensuse.org/request/show/933750 Factory / ruby2.7

Comment 3 Thomas Leroy 2021-11-25 13:54:50 UTC

The vulnerable commit [0] was introduced in ruby 2.7, therefore, versions before 2.7 are not impacted. I double checked that the vulnerable commit has not been backported.

ruby2.7:
- openSUSE:Factory

ruby3.0:
- openSUSE:Factory

[0]
https://github.com/ruby/cgi/commit/3a62e20f76ea42ff0b4d45f2952479eab266ae1c

Comment 6 Marcus Rückert 2022-09-05 22:50:59 UTC

This should be done