Bug 1205726 (CVE-2021-33621) - VUL-0: CVE-2021-33621: ruby: HTTP response splitting in CGI
Summary: VUL-0: CVE-2021-33621: ruby: HTTP response splitting in CGI
Status: NEW
Alias: CVE-2021-33621
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P1 - Urgent : Major
Target Milestone: ---
Assignee: Marcus Rückert
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/348462/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-33621:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-24 14:19 UTC by Alexander Bergmann
Modified: 2023-10-24 16:30 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
stoyan.manolov: needinfo? (mrueckert)
uemit.arslan: needinfo? (lars.vogdt)
uemit.arslan: needinfo?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-11-24 14:19:35 UTC
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/

CVE-2021-33621: HTTP response splitting in CGI

Posted by mame on 22 Nov 2022

We have released the cgi gem version 0.3.5, 0.2.2, and 0.1.0.2 that has a security fix for a HTTP response splitting vulnerability. This vulnerability has been assigned the CVE identifier CVE-2021-33621.
Details

If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body.

Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think such applications are unlikely, but we have included a change to check arguments for CGI::Cookie#initialize preventatively.

Please update the cgi gem to version 0.3.5, 0.2.2, and 0.1.0.2, or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.5" to your Gemfile.
Affected versions

    cgi gem 0.3.3 or before
    cgi gem 0.2.1 or before
    cgi gem 0.1.1 or 0.1.0.1 or 0.1.0

Credits

Thanks to Hiroshi Tokumaru for discovering this issue.
History

    Originally published at 2022-11-22 02:00:00 (UTC)
Comment 1 OBSbugzilla Bot 2022-11-24 17:35:02 UTC
This is an autogenerated message for OBS integration:
This bug (1205726) was mentioned in
https://build.opensuse.org/request/show/1037958 Factory / ruby3.1
Comment 2 Cathy Hu 2022-11-30 10:11:46 UTC
I think these are the fixes: https://github.com/ruby/cgi/compare/v0.1.0.1...v0.1.0.2

Tracking as affected:
- SUSE:SLE-11-SP1:Update/ruby  1.8.7.p357     
- SUSE:SLE-12:Update/ruby2.1   2.1.9          
- SUSE:SLE-15:Update/ruby2.5   2.5.9
Comment 4 Cathy Hu 2022-12-12 10:05:14 UTC
Any updates here?
Comment 14 Marcus Rückert 2023-09-06 14:13:58 UTC
https://build.suse.de/package/show/home:darix:branches:OBS_Maintained:ruby2.5/ruby2.5.SUSE_SLE-15_Update

this is waiting for the testsuite to pass. while reviewing the local build i noticed that we have an incomplete patch for an older fix.


```
TestOpenURI#test_ftp:                                                                                                                         
NoMethodError: undefined method `peeraddr' for #<Socket:fd 11>```
Comment 15 Marcus Meissner 2023-09-08 13:50:13 UTC
can you submit when its ready?
Comment 16 Marcus Rückert 2023-09-14 23:05:19 UTC
now also integrated into https://gitlab.suse.de/ruby/ruby-backports/-/tree/2.5-suse?ref_type=heads
Comment 22 Maintenance Automation 2023-10-24 16:30:37 UTC
SUSE-SU-2023:4176-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1193035, 1205726, 1209891, 1209967
CVE References: CVE-2021-33621, CVE-2021-41817, CVE-2023-28755, CVE-2023-28756
Sources used:
openSUSE Leap 15.4 (src): ruby2.5-2.5.9-150000.4.29.1
openSUSE Leap 15.5 (src): ruby2.5-2.5.9-150000.4.29.1
Basesystem Module 15-SP4 (src): ruby2.5-2.5.9-150000.4.29.1
Basesystem Module 15-SP5 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Manager Proxy 4.2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Manager Retail Branch Server 4.2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Manager Server 4.2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Enterprise Storage 7.1 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE CaaS Platform 4.0 (src): ruby2.5-2.5.9-150000.4.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.