Bugzilla – Bug 1205726
VUL-0: CVE-2021-33621: ruby: HTTP response splitting in CGI
Last modified: 2023-10-24 16:30:37 UTC
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/ CVE-2021-33621: HTTP response splitting in CGI Posted by mame on 22 Nov 2022 We have released the cgi gem version 0.3.5, 0.2.2, and 0.1.0.2 that has a security fix for a HTTP response splitting vulnerability. This vulnerability has been assigned the CVE identifier CVE-2021-33621. Details If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body. Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think such applications are unlikely, but we have included a change to check arguments for CGI::Cookie#initialize preventatively. Please update the cgi gem to version 0.3.5, 0.2.2, and 0.1.0.2, or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.5" to your Gemfile. Affected versions cgi gem 0.3.3 or before cgi gem 0.2.1 or before cgi gem 0.1.1 or 0.1.0.1 or 0.1.0 Credits Thanks to Hiroshi Tokumaru for discovering this issue. History Originally published at 2022-11-22 02:00:00 (UTC)
This is an autogenerated message for OBS integration: This bug (1205726) was mentioned in https://build.opensuse.org/request/show/1037958 Factory / ruby3.1
I think these are the fixes: https://github.com/ruby/cgi/compare/v0.1.0.1...v0.1.0.2 Tracking as affected: - SUSE:SLE-11-SP1:Update/ruby 1.8.7.p357 - SUSE:SLE-12:Update/ruby2.1 2.1.9 - SUSE:SLE-15:Update/ruby2.5 2.5.9
Any updates here?
After reviewing https://github.com/ruby/cgi/commits/master This commit should probably be also part of the fix: * https://github.com/ruby/cgi/commit/30107a4797f14227568913499a9a0bb4285de63b This is the patch in comment #5 * https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708 Those 3 commits fix fallout in the 2 commits above and fix building on older ruby versions. so we probably also want to include those * https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819 * https://github.com/ruby/cgi/commit/05f0c58048540e868d9bbc6e49151b27e1bc89e9 * https://github.com/ruby/cgi/commit/5e09d632f3b56d85b2659ab47d5571ae9e270e10
https://build.suse.de/package/show/home:darix:branches:OBS_Maintained:ruby2.5/ruby2.5.SUSE_SLE-15_Update this is waiting for the testsuite to pass. while reviewing the local build i noticed that we have an incomplete patch for an older fix. ``` TestOpenURI#test_ftp: NoMethodError: undefined method `peeraddr' for #<Socket:fd 11>```
can you submit when its ready?
now also integrated into https://gitlab.suse.de/ruby/ruby-backports/-/tree/2.5-suse?ref_type=heads
SUSE-SU-2023:4176-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1193035, 1205726, 1209891, 1209967 CVE References: CVE-2021-33621, CVE-2021-41817, CVE-2023-28755, CVE-2023-28756 Sources used: openSUSE Leap 15.4 (src): ruby2.5-2.5.9-150000.4.29.1 openSUSE Leap 15.5 (src): ruby2.5-2.5.9-150000.4.29.1 Basesystem Module 15-SP4 (src): ruby2.5-2.5.9-150000.4.29.1 Basesystem Module 15-SP5 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Manager Proxy 4.2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Manager Retail Branch Server 4.2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Manager Server 4.2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Enterprise Storage 7.1 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE CaaS Platform 4.0 (src): ruby2.5-2.5.9-150000.4.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.