Bug 1207596 (CVE-2022-44572) - VUL-0: CVE-2022-44572: rubygem-rack: denial of service in Content-Disposition parsing
Summary: VUL-0: CVE-2022-44572: rubygem-rack: denial of service in Content-Disposition...
Status: RESOLVED FIXED
Alias: CVE-2022-44572
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/355019/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-44572:5.9:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-26 16:28 UTC by Thomas Leroy
Modified: 2024-05-03 10:43 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2023-01-26 16:28:40 UTC 
rh#2164722

Carefully crafted input can cause RFC2183 multipart boundary parsing in Rackto take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

Upstream fix:
https://github.com/rack/rack/commit/a493640cd89aec9c148bc9d22c5f938ca9ed0dfa

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2164722
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-44572
Comment 1 Thomas Leroy 2023-01-26 16:34:35 UTC 
Affected:
- SUSE:SLE-15:Update
- openSUSE:Factory
Comment 2 Petr Gajdos 2023-01-27 08:14:58 UTC 
(In reply to Thomas Leroy from comment #1)
> - openSUSE:Factory

3.0.4.1 is in Factory:

-------------------------------------------------------------------
Fri Jan 20 13:25:39 UTC 2023 - Hendrik Vogelsang <hvogel@suse.com>

updated to version 3.0.4.1

[CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
[CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
[CVE-2022-44572] Forbid control characters in attributes (also ReDoS)

For more detailed information see the installed CHANGELOG.md

-------------------------------------------------------------------


I have double checked that the patch is there already.
Comment 3 Petr Gajdos 2023-01-27 08:54:56 UTC 
Will submit for 15/rubygem-rack.
Comment 4 Petr Gajdos 2023-01-27 09:09:46 UTC 
Package submitted.

I believe all fixed.
Comment 6 Swamp Workflow Management 2023-02-06 20:21:03 UTC 
SUSE-SU-2023:0276-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1207596,1207597,1207599
CVE References: CVE-2022-44570,CVE-2022-44571,CVE-2022-44572
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    rubygem-rack-2.0.8-150000.3.12.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    rubygem-rack-2.0.8-150000.3.12.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    rubygem-rack-2.0.8-150000.3.12.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    rubygem-rack-2.0.8-150000.3.12.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    rubygem-rack-2.0.8-150000.3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Robert Frohl 2024-05-03 10:43:13 UTC 
done, closing