Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP (rhbz#1461848).

2017-08-08 11:56:42 +02:00 · 2017-08-08 11:56:42 +02:00 · d922de7541
commit d922de7541
parent b325f28a94
2 changed files with 133 additions and 1 deletions
--- a/ruby-2.4.0-SMTP-injection-fix.patch
+++ b/ruby-2.4.0-SMTP-injection-fix.patch
@ -0,0 +1,122 @@
 From ea7b67981156f3eaee8420bb34c49605573387a5 Mon Sep 17 00:00:00 2001
 From: shugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
 Date: Wed, 8 Jun 2016 07:06:57 +0000
 Subject: [PATCH] Security: backport SMTP injection fix
 * lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
 CR or LF is included in a line, because they are not allowed in
 RFC5321.
 https://hackerone.com/reports/137631
 ---
 ChangeLog                  |  6 ++++++
 lib/net/smtp.rb            |  9 +++++++++
 test/net/smtp/test_smtp.rb | 47 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+)
 diff --git a/ChangeLog b/ChangeLog
 index ab9a6bf18281..5176d362881b 100644
 --- a/ChangeLog
 +++ b/ChangeLog
@@ -1,3 +1,9 @@
 +Sun Jun 11 21:25:09 2017  Shugo Maeda  <shugo@ruby-lang.org>
 +
 +	* lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
 +	  CR or LF is included in a line, because they are not allowed in
 +	  RFC5321. https://hackerone.com/reports/137631 [Backport 0827a7e]
 +
 Wed Jul  5 15:55:35 2017  NAKAMURA Usaku  <usa@ruby-lang.org>
 	* ext/openssl/ossl_cipher.c: remove the encryption key initialization
 diff --git a/lib/net/smtp.rb b/lib/net/smtp.rb
 index d634274c3ee8..78f2181d2a8b 100644
 --- a/lib/net/smtp.rb
 +++ b/lib/net/smtp.rb
@@ -926,7 +926,15 @@ def quit
     private
 +    def validate_line(line)
 +      # A bare CR or LF is not allowed in RFC5321.
 +      if /[\r\n]/ =~ line
 +        raise ArgumentError, "A line must not contain CR or LF"
 +      end
 +    end
 +
     def getok(reqline)
 +      validate_line reqline
       res = critical {
         @socket.writeline reqline
         recv_response()
@@ -936,6 +944,7 @@ def getok(reqline)
     end
     def get_response(reqline)
 +      validate_line reqline
       @socket.writeline reqline
       recv_response()
     end
 diff --git a/test/net/smtp/test_smtp.rb b/test/net/smtp/test_smtp.rb
 index 0edb3419d56e..3bcceb6fc5bb 100644
 --- a/test/net/smtp/test_smtp.rb
 +++ b/test/net/smtp/test_smtp.rb
@@ -6,6 +6,8 @@
 module Net
   class TestSMTP < Test::Unit::TestCase
     class FakeSocket
 +      attr_reader :write_io
 +
       def initialize out = "250 OK\n"
         @write_io = StringIO.new
         @read_io  = StringIO.new out
@@ -51,5 +53,50 @@ def test_rset
       assert smtp.rset
     end
 +
 +    def test_mailfrom
 +      sock = FakeSocket.new
 +      smtp = Net::SMTP.new 'localhost', 25
 +      smtp.instance_variable_set :@socket, sock
 +      assert smtp.mailfrom("foo@example.com").success?
 +      assert_equal "MAIL FROM:<foo@example.com>\r\n", sock.write_io.string
 +    end
 +
 +    def test_rcptto
 +      sock = FakeSocket.new
 +      smtp = Net::SMTP.new 'localhost', 25
 +      smtp.instance_variable_set :@socket, sock
 +      assert smtp.rcptto("foo@example.com").success?
 +      assert_equal "RCPT TO:<foo@example.com>\r\n", sock.write_io.string
 +    end
 +
 +    def test_auth_plain
 +      sock = FakeSocket.new
 +      smtp = Net::SMTP.new 'localhost', 25
 +      smtp.instance_variable_set :@socket, sock
 +      assert smtp.auth_plain("foo", "bar").success?
 +      assert_equal "AUTH PLAIN AGZvbwBiYXI=\r\n", sock.write_io.string
 +    end
 +
 +    def test_crlf_injection
 +      smtp = Net::SMTP.new 'localhost', 25
 +      smtp.instance_variable_set :@socket, FakeSocket.new
 +
 +      assert_raise(ArgumentError) do
 +        smtp.mailfrom("foo\r\nbar")
 +      end
 +
 +      assert_raise(ArgumentError) do
 +        smtp.mailfrom("foo\rbar")
 +      end
 +
 +      assert_raise(ArgumentError) do
 +        smtp.mailfrom("foo\nbar")
 +      end
 +
 +      assert_raise(ArgumentError) do
 +        smtp.rcptto("foo\r\nbar")
 +      end
 +    end
   end
 end
--- a/ruby.spec
+++ b/ruby.spec
@ -21,7 +21,7 @@
 %endif
-%global release 62
+%global release 63
 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
 # The RubyGems library has to stay out of Ruby directory three, since the
@ -130,6 +130,11 @@ Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1381527
 # https://github.com/ruby/ruby/commit/739782e37a6662fea379e7ef3ec89e851b04b46c
 Patch10: ruby-2.3.4-remove-the-encryption-key-initialization.patch
 # Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM
 # commands in Net::SMTP (CVE-2015-9096).
 # https://bugzilla.redhat.com/show_bug.cgi?id=1461848
 # https://github.com/ruby/ruby/pull/1647
 Patch11: ruby-2.4.0-SMTP-injection-fix.patch
 # Do not freeze strings in generated .gemspec. This causes regressions
 # and FTBFS in Fedora packages. This is revert of:
 # https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae
@ -484,6 +489,7 @@ rm -rf ext/fiddle/libffi*
 %patch7 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 %patch100 -p1
 # Provide an example of usage of the tapset:
@ -974,6 +980,10 @@ make check TESTS="-v $DISABLE_TESTS"
 %{ruby_libdir}/tkextlib
 %changelog
 * Tue Aug 08 2017 Vít Ondruch <vondruch@redhat.com> - 2.3.3-63
 - Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM
  commands in Net::SMTP (rhbz#1461848).
 * Thu Jul 27 2017 Vít Ondruch <vondruch@redhat.com> - 2.3.3-62
 - Fix IV Reuse in GCM Mode (rhbz#1381527).