Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP (rhbz#1461848).

This commit is contained in:
Vít Ondruch 2017-08-08 11:56:42 +02:00
parent 7aa557150d
commit 5ec9eb0eb9
2 changed files with 133 additions and 1 deletions

View File

@ -0,0 +1,122 @@
From ea7b67981156f3eaee8420bb34c49605573387a5 Mon Sep 17 00:00:00 2001
From: shugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 8 Jun 2016 07:06:57 +0000
Subject: [PATCH] Security: backport SMTP injection fix
* lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
CR or LF is included in a line, because they are not allowed in
RFC5321.
https://hackerone.com/reports/137631
---
ChangeLog | 6 ++++++
lib/net/smtp.rb | 9 +++++++++
test/net/smtp/test_smtp.rb | 47 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 62 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index ab9a6bf18281..5176d362881b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Sun Jun 11 21:25:09 2017 Shugo Maeda <shugo@ruby-lang.org>
+
+ * lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
+ CR or LF is included in a line, because they are not allowed in
+ RFC5321. https://hackerone.com/reports/137631 [Backport 0827a7e]
+
Wed Jul 5 15:55:35 2017 NAKAMURA Usaku <usa@ruby-lang.org>
* ext/openssl/ossl_cipher.c: remove the encryption key initialization
diff --git a/lib/net/smtp.rb b/lib/net/smtp.rb
index d634274c3ee8..78f2181d2a8b 100644
--- a/lib/net/smtp.rb
+++ b/lib/net/smtp.rb
@@ -926,7 +926,15 @@ def quit
private
+ def validate_line(line)
+ # A bare CR or LF is not allowed in RFC5321.
+ if /[\r\n]/ =~ line
+ raise ArgumentError, "A line must not contain CR or LF"
+ end
+ end
+
def getok(reqline)
+ validate_line reqline
res = critical {
@socket.writeline reqline
recv_response()
@@ -936,6 +944,7 @@ def getok(reqline)
end
def get_response(reqline)
+ validate_line reqline
@socket.writeline reqline
recv_response()
end
diff --git a/test/net/smtp/test_smtp.rb b/test/net/smtp/test_smtp.rb
index 0edb3419d56e..3bcceb6fc5bb 100644
--- a/test/net/smtp/test_smtp.rb
+++ b/test/net/smtp/test_smtp.rb
@@ -6,6 +6,8 @@
module Net
class TestSMTP < Test::Unit::TestCase
class FakeSocket
+ attr_reader :write_io
+
def initialize out = "250 OK\n"
@write_io = StringIO.new
@read_io = StringIO.new out
@@ -51,5 +53,50 @@ def test_rset
assert smtp.rset
end
+
+ def test_mailfrom
+ sock = FakeSocket.new
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, sock
+ assert smtp.mailfrom("foo@example.com").success?
+ assert_equal "MAIL FROM:<foo@example.com>\r\n", sock.write_io.string
+ end
+
+ def test_rcptto
+ sock = FakeSocket.new
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, sock
+ assert smtp.rcptto("foo@example.com").success?
+ assert_equal "RCPT TO:<foo@example.com>\r\n", sock.write_io.string
+ end
+
+ def test_auth_plain
+ sock = FakeSocket.new
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, sock
+ assert smtp.auth_plain("foo", "bar").success?
+ assert_equal "AUTH PLAIN AGZvbwBiYXI=\r\n", sock.write_io.string
+ end
+
+ def test_crlf_injection
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, FakeSocket.new
+
+ assert_raise(ArgumentError) do
+ smtp.mailfrom("foo\r\nbar")
+ end
+
+ assert_raise(ArgumentError) do
+ smtp.mailfrom("foo\rbar")
+ end
+
+ assert_raise(ArgumentError) do
+ smtp.mailfrom("foo\nbar")
+ end
+
+ assert_raise(ArgumentError) do
+ smtp.rcptto("foo\r\nbar")
+ end
+ end
end
end

View File

@ -21,7 +21,7 @@
%endif
%global release 62
%global release 63
%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
# The RubyGems library has to stay out of Ruby directory three, since the
@ -126,6 +126,11 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1381527
# https://github.com/ruby/ruby/commit/739782e37a6662fea379e7ef3ec89e851b04b46c
Patch10: ruby-2.3.4-remove-the-encryption-key-initialization.patch
# Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM
# commands in Net::SMTP (CVE-2015-9096).
# https://bugzilla.redhat.com/show_bug.cgi?id=1461848
# https://github.com/ruby/ruby/pull/1647
Patch11: ruby-2.4.0-SMTP-injection-fix.patch
# Do not freeze strings in generated .gemspec. This causes regressions
# and FTBFS in Fedora packages. This is revert of:
# https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae
@ -479,6 +484,7 @@ rm -rf ext/fiddle/libffi*
%patch6 -p1
%patch7 -p1
%patch10 -p1
%patch11 -p1
%patch100 -p1
# Provide an example of usage of the tapset:
@ -969,6 +975,10 @@ make check TESTS="-v $DISABLE_TESTS"
%{ruby_libdir}/tkextlib
%changelog
* Tue Aug 08 2017 Vít Ondruch <vondruch@redhat.com> - 2.3.3-63
- Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM
commands in Net::SMTP (rhbz#1461848).
* Thu Jul 27 2017 Vít Ondruch <vondruch@redhat.com> - 2.3.3-62
- Fix IV Reuse in GCM Mode (rhbz#1381527).