Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP (rhbz#1461848).
This commit is contained in:
parent
7aa557150d
commit
5ec9eb0eb9
122
ruby-2.4.0-SMTP-injection-fix.patch
Normal file
122
ruby-2.4.0-SMTP-injection-fix.patch
Normal file
@ -0,0 +1,122 @@
|
||||
From ea7b67981156f3eaee8420bb34c49605573387a5 Mon Sep 17 00:00:00 2001
|
||||
From: shugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
|
||||
Date: Wed, 8 Jun 2016 07:06:57 +0000
|
||||
Subject: [PATCH] Security: backport SMTP injection fix
|
||||
|
||||
* lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
|
||||
CR or LF is included in a line, because they are not allowed in
|
||||
RFC5321.
|
||||
|
||||
https://hackerone.com/reports/137631
|
||||
---
|
||||
ChangeLog | 6 ++++++
|
||||
lib/net/smtp.rb | 9 +++++++++
|
||||
test/net/smtp/test_smtp.rb | 47 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 62 insertions(+)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index ab9a6bf18281..5176d362881b 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,3 +1,9 @@
|
||||
+Sun Jun 11 21:25:09 2017 Shugo Maeda <shugo@ruby-lang.org>
|
||||
+
|
||||
+ * lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
|
||||
+ CR or LF is included in a line, because they are not allowed in
|
||||
+ RFC5321. https://hackerone.com/reports/137631 [Backport 0827a7e]
|
||||
+
|
||||
Wed Jul 5 15:55:35 2017 NAKAMURA Usaku <usa@ruby-lang.org>
|
||||
|
||||
* ext/openssl/ossl_cipher.c: remove the encryption key initialization
|
||||
diff --git a/lib/net/smtp.rb b/lib/net/smtp.rb
|
||||
index d634274c3ee8..78f2181d2a8b 100644
|
||||
--- a/lib/net/smtp.rb
|
||||
+++ b/lib/net/smtp.rb
|
||||
@@ -926,7 +926,15 @@ def quit
|
||||
|
||||
private
|
||||
|
||||
+ def validate_line(line)
|
||||
+ # A bare CR or LF is not allowed in RFC5321.
|
||||
+ if /[\r\n]/ =~ line
|
||||
+ raise ArgumentError, "A line must not contain CR or LF"
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
def getok(reqline)
|
||||
+ validate_line reqline
|
||||
res = critical {
|
||||
@socket.writeline reqline
|
||||
recv_response()
|
||||
@@ -936,6 +944,7 @@ def getok(reqline)
|
||||
end
|
||||
|
||||
def get_response(reqline)
|
||||
+ validate_line reqline
|
||||
@socket.writeline reqline
|
||||
recv_response()
|
||||
end
|
||||
diff --git a/test/net/smtp/test_smtp.rb b/test/net/smtp/test_smtp.rb
|
||||
index 0edb3419d56e..3bcceb6fc5bb 100644
|
||||
--- a/test/net/smtp/test_smtp.rb
|
||||
+++ b/test/net/smtp/test_smtp.rb
|
||||
@@ -6,6 +6,8 @@
|
||||
module Net
|
||||
class TestSMTP < Test::Unit::TestCase
|
||||
class FakeSocket
|
||||
+ attr_reader :write_io
|
||||
+
|
||||
def initialize out = "250 OK\n"
|
||||
@write_io = StringIO.new
|
||||
@read_io = StringIO.new out
|
||||
@@ -51,5 +53,50 @@ def test_rset
|
||||
|
||||
assert smtp.rset
|
||||
end
|
||||
+
|
||||
+ def test_mailfrom
|
||||
+ sock = FakeSocket.new
|
||||
+ smtp = Net::SMTP.new 'localhost', 25
|
||||
+ smtp.instance_variable_set :@socket, sock
|
||||
+ assert smtp.mailfrom("foo@example.com").success?
|
||||
+ assert_equal "MAIL FROM:<foo@example.com>\r\n", sock.write_io.string
|
||||
+ end
|
||||
+
|
||||
+ def test_rcptto
|
||||
+ sock = FakeSocket.new
|
||||
+ smtp = Net::SMTP.new 'localhost', 25
|
||||
+ smtp.instance_variable_set :@socket, sock
|
||||
+ assert smtp.rcptto("foo@example.com").success?
|
||||
+ assert_equal "RCPT TO:<foo@example.com>\r\n", sock.write_io.string
|
||||
+ end
|
||||
+
|
||||
+ def test_auth_plain
|
||||
+ sock = FakeSocket.new
|
||||
+ smtp = Net::SMTP.new 'localhost', 25
|
||||
+ smtp.instance_variable_set :@socket, sock
|
||||
+ assert smtp.auth_plain("foo", "bar").success?
|
||||
+ assert_equal "AUTH PLAIN AGZvbwBiYXI=\r\n", sock.write_io.string
|
||||
+ end
|
||||
+
|
||||
+ def test_crlf_injection
|
||||
+ smtp = Net::SMTP.new 'localhost', 25
|
||||
+ smtp.instance_variable_set :@socket, FakeSocket.new
|
||||
+
|
||||
+ assert_raise(ArgumentError) do
|
||||
+ smtp.mailfrom("foo\r\nbar")
|
||||
+ end
|
||||
+
|
||||
+ assert_raise(ArgumentError) do
|
||||
+ smtp.mailfrom("foo\rbar")
|
||||
+ end
|
||||
+
|
||||
+ assert_raise(ArgumentError) do
|
||||
+ smtp.mailfrom("foo\nbar")
|
||||
+ end
|
||||
+
|
||||
+ assert_raise(ArgumentError) do
|
||||
+ smtp.rcptto("foo\r\nbar")
|
||||
+ end
|
||||
+ end
|
||||
end
|
||||
end
|
12
ruby.spec
12
ruby.spec
@ -21,7 +21,7 @@
|
||||
%endif
|
||||
|
||||
|
||||
%global release 62
|
||||
%global release 63
|
||||
%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
|
||||
|
||||
# The RubyGems library has to stay out of Ruby directory three, since the
|
||||
@ -126,6 +126,11 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1381527
|
||||
# https://github.com/ruby/ruby/commit/739782e37a6662fea379e7ef3ec89e851b04b46c
|
||||
Patch10: ruby-2.3.4-remove-the-encryption-key-initialization.patch
|
||||
# Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM
|
||||
# commands in Net::SMTP (CVE-2015-9096).
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1461848
|
||||
# https://github.com/ruby/ruby/pull/1647
|
||||
Patch11: ruby-2.4.0-SMTP-injection-fix.patch
|
||||
# Do not freeze strings in generated .gemspec. This causes regressions
|
||||
# and FTBFS in Fedora packages. This is revert of:
|
||||
# https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae
|
||||
@ -479,6 +484,7 @@ rm -rf ext/fiddle/libffi*
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch100 -p1
|
||||
|
||||
# Provide an example of usage of the tapset:
|
||||
@ -969,6 +975,10 @@ make check TESTS="-v $DISABLE_TESTS"
|
||||
%{ruby_libdir}/tkextlib
|
||||
|
||||
%changelog
|
||||
* Tue Aug 08 2017 Vít Ondruch <vondruch@redhat.com> - 2.3.3-63
|
||||
- Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM
|
||||
commands in Net::SMTP (rhbz#1461848).
|
||||
|
||||
* Thu Jul 27 2017 Vít Ondruch <vondruch@redhat.com> - 2.3.3-62
|
||||
- Fix IV Reuse in GCM Mode (rhbz#1381527).
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user