Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
ruby2.1
CVE-2021-32066.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2021-32066.patch of Package ruby2.1
From f478bdbcf00a235957ff7256535269caf24e1c73 Mon Sep 17 00:00:00 2001 From: Ali Abdallah <ali.abdallah@suse.com> Date: Wed, 6 Oct 2021 17:28:07 +0200 Subject: [PATCH 2/4] Backport upstream fix for CVE-2021-32066 Backport upstream commit a21a3b7d23704a01d34bd79d09dc37897e00922a [PATCH] Fix StartTLS stripping vulnerability Reported by Alexandr Savca in https://hackerone.com/reports/1178562 Co-authored-by: Shugo Maeda <shugo@ruby-lang.org> --- lib/net/imap.rb | 8 +++++++- test/net/imap/test_imap.rb | 31 +++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/lib/net/imap.rb b/lib/net/imap.rb index a8845c1314..e61d7b79eb 100644 --- a/lib/net/imap.rb +++ b/lib/net/imap.rb @@ -1152,12 +1152,14 @@ module Net end resp = @tagged_responses.delete(tag) case resp.name + when /\A(?:OK)\z/ni + return resp when /\A(?:NO)\z/ni raise NoResponseError, resp when /\A(?:BAD)\z/ni raise BadResponseError, resp else - return resp + raise UnknownResponseError, resp end end @@ -3598,6 +3600,10 @@ module Net class ByeResponseError < ResponseError end + # Error raised upon an unknown response from the server. + class UnknownResponseError < ResponseError + end + # Error raised when too many flags are interned to symbols. class FlagCountError < Error end diff --git a/test/net/imap/test_imap.rb b/test/net/imap/test_imap.rb index 9484ab8f6c..5212855c84 100644 --- a/test/net/imap/test_imap.rb +++ b/test/net/imap/test_imap.rb @@ -122,6 +122,16 @@ class IMAPTest < Test::Unit::TestCase imap.disconnect end end + + def test_starttls_stripping + starttls_stripping_test do |port| + imap = Net::IMAP.new("localhost", :port => port) + assert_raise(Net::IMAP::UnknownResponseError) do + imap.starttls(:ca_file => CA_FILE) + end + imap + end + end end def test_unexpected_eof @@ -530,6 +540,27 @@ class IMAPTest < Test::Unit::TestCase end end + def starttls_stripping_test + server = create_tcp_server + port = server.addr[1] + Thread.start do + sock = server.accept + begin + sock.print("* OK test server\r\n") + sock.gets + sock.print("RUBY0001 BUG unhandled command\r\n") + ensure + sock.close + server.close + end + end + begin + imap = yield(port) + ensure + imap.disconnect if imap && !imap.disconnected? + end + end + def create_tcp_server return TCPServer.new(SERVER_ADDR, 0) end -- 2.32.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
