From 94cd92c43eb979684cb0aab0b636f867645123f2 Mon Sep 17 00:00:00 2001 From: cicd Date: Wed, 12 Feb 2025 07:55:38 +0100 Subject: [PATCH] commit by to_remotes 2025-02-12 07:55:38 +0100 from cicd --- bundle-audit-time.txt | 2 +- bundle-audit.json | 2 +- report.txt | 11 ++++++++++- update-info.txt | 12 ++++++++---- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/bundle-audit-time.txt b/bundle-audit-time.txt index b7ad198..2c7c726 100644 --- a/bundle-audit-time.txt +++ b/bundle-audit-time.txt @@ -1 +1 @@ -2025-02-10T14:55:08+01:00 +2025-02-12T07:55:38+01:00 diff --git a/bundle-audit.json b/bundle-audit.json index 5d8dc77..c0b2f25 100644 --- a/bundle-audit.json +++ b/bundle-audit.json @@ -1 +1 @@ -{"version":"0.9.2","created_at":"2025-02-10 14:55:08 +0100","results":[]} \ No newline at end of file +{"version":"0.9.2","created_at":"2025-02-12 07:55:38 +0100","results":[{"type":"unpatched_gem","gem":{"name":"net-imap","version":"0.5.5"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/net-imap/CVE-2025-25186.yml","id":"CVE-2025-25186","url":"https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69","title":"Possible DoS by memory exhaustion in net-imap","date":"2025-02-10","description":"### Summary\n\nThere is a possibility for denial of service by memory exhaustion in\n`net-imap`'s response parser. At any time while the client is\nconnected, a malicious server can send can send highly compressed\n`uid-set` data which is automatically read by the client's receiver\nthread. The response parser uses `Range#to_a` to convert the\n`uid-set` data into arrays of integers, with no limitation on the\nexpanded size of the ranges.\n\n### Details\n\nIMAP's `uid-set` and `sequence-set` formats can compress ranges of\nnumbers, for example: `\"1,2,3,4,5\"` and `\"1:5\"` both represent the\nsame set. When `Net::IMAP::ResponseParser` receives `APPENDUID` or\n`COPYUID` response codes, it expands each `uid-set` into an array of\nintegers. On a 64 bit system, these arrays will expand to 8 bytes\nfor each number in the set. A malicious IMAP server may send\nspecially crafted `APPENDUID` or `COPYUID` responses with very large\n`uid-set` ranges.\n\nThe `Net::IMAP` client parses each server response in a separate\nthread, as soon as each responses is received from the server.\nThis attack works even when the client does not handle the\n`APPENDUID` or `COPYUID` responses.\n\nMalicious inputs:\n\n```ruby\n# 40 bytes expands to ~1.6GB:\n\"* OK [COPYUID 1 1:99999999 1:99999999]\\r\\n\"\n\n# Worst *valid* input scenario (using uint32 max),\n# 44 bytes expands to 64GiB:\n\"* OK [COPYUID 1 1:4294967295 1:4294967295]\\r\\n\"\n\n# Numbers must be non-zero uint32, but this isn't validated. Arrays\n# larger than UINT32_MAX can be created. For example, the following\n# would theoretically expand to almost 800 exabytes:\n\"* OK [COPYUID 1 1:99999999999999999999 1:99999999999999999999]\\r\\n\"\n```\n\nSimple way to test this:\n```ruby\nrequire \"net/imap\"\n\ndef test(size)\n input = \"A004 OK [COPYUID 1 1:#{size} 1:#{size}] too large?\\n\"\n parser = Net::IMAP::ResponseParser.new\n parser.parse input\nend\n\ntest(99_999_999)\n```\n\n### Fixes\n\n#### Preferred Fix, minor API changes\n\nUpgrade to v0.4.19, v0.5.6, or higher, and configure:\n\n```ruby\n# globally\nNet::IMAP.config.parser_use_deprecated_uidplus_data = false\n# per-client\nimap = Net::IMAP.new(hostname, ssl: true,\n parser_use_deprecated_uidplus_data: false)\nimap.config.parser_use_deprecated_uidplus_data = false\n```\n\nThis replaces `UIDPlusData` with `AppendUIDData` and `CopyUIDData`.\nThese classes store their UIDs as `Net::IMAP::SequenceSet` objects\n(_not_ expanded into arrays of integers). Code that does not handle\n`APPENDUID` or `COPYUID` responses will not notice any difference.\nCode that does handle these responses _may_ need to be updated. See\nthe documentation for\n[UIDPlusData](https://ruby.github.io/net-imap/Net/IMAP/UIDPlusData.html),\n[AppendUIDData](https://ruby.github.io/net-imap/Net/IMAP/AppendUIDData.html)\nand [CopyUIDData](https://ruby.github.io/net-imap/Net/IMAP/CopyUIDData.html).\n\nFor v0.3.8, this option is not available.\nFor v0.4.19, the default value is `true`.\nFor v0.5.6, the default value is `:up_to_max_size`.\nFor v0.6.0, the only allowed value will be `false` _(`UIDPlusData`\nwill be removed from v0.6)_.\n\n#### Mitigation, backward compatible API\n\nUpgrade to v0.3.8, v0.4.19, v0.5.6, or higher.\n\nFor backward compatibility, `uid-set` can still be expanded\ninto an array, but a maximum limit will be applied.\n\nAssign `config.parser_max_deprecated_uidplus_data_size` to set the\nmaximum `UIDPlusData` UID set size. When\n`config.parser_use_deprecated_uidplus_data == true`, larger sets will crash.\nWhen `config.parser_use_deprecated_uidplus_data == :up_to_max_size`,\nlarger sets will use `AppendUIDData` or `CopyUIDData`.\n\nFor v0.3,8, this limit is _hard-coded_ to 10,000, and larger sets\nwill always raise `Net::IMAP::ResponseParseError`.\nFor v0.4.19, the limit defaults to 1000.\nFor v0.5.6, the limit defaults to 100.\nFor v0.6.0, the limit will be ignored _(`UIDPlusData` will be\nremoved from v0.6)_.\n\n#### Please Note: unhandled responses\n\nIf the client does not add response handlers to prune unhandled\nresponses, a malicious server can still eventually exhaust all\n\nclient memory, by repeatedly sending malicious responses. However,\n`net-imap` has always retained unhandled responses, and it has always\nbeen necessary for long-lived connections to prune these responses.\n_This is not significantly different from connecting to a trusted\nserver with a long-lived connection._ To limit the maximum number\nof retained responses, a simple handler might look something like\nthe following:\n\n```ruby\nlimit = 1000\nimap.add_response_handler do |resp|\n next unless resp.respond_to?(:name) && resp.respond_to?(:data)\n name = resp.name\n code = resp.data.code&.name if resp.data.respond_to?(:code)\n if Net::IMAP::VERSION > \"0.4.0\"\n imap.responses(name) { _1.slice!(0...-limit) }\n imap.responses(code) { _1.slice!(0...-limit) }\n else\n imap.responses(name).slice!(0...-limit)\n imap.responses(code).slice!(0...-limit)\n end\nend\n```\n","cvss_v2":null,"cvss_v3":6.5,"cve":"2025-25186","osvdb":null,"ghsa":"7fc5-f82f-cx69","unaffected_versions":["< 0.3.2"],"patched_versions":["~> 0.3.8","~> 0.4.19",">= 0.5.6"],"criticality":"medium"}}]} \ No newline at end of file diff --git a/report.txt b/report.txt index 8900c02..cacf445 100644 --- a/report.txt +++ b/report.txt @@ -1 +1,10 @@ -No vulnerabilities found +Name: net-imap +Version: 0.5.5 +CVE: CVE-2025-25186 +GHSA: GHSA-7fc5-f82f-cx69 +Criticality: Medium +URL: https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69 +Title: Possible DoS by memory exhaustion in net-imap +Solution: update to '~> 0.3.8', '~> 0.4.19', '>= 0.5.6' + +Vulnerabilities found! diff --git a/update-info.txt b/update-info.txt index bc5e17a..dd05665 100644 --- a/update-info.txt +++ b/update-info.txt @@ -1,7 +1,11 @@ Updating ruby-advisory-db ... -Already up to date. +Updating b32baf6..44593ed +Fast-forward + gems/net-imap/CVE-2025-25186.yml | 157 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 157 insertions(+) + create mode 100644 gems/net-imap/CVE-2025-25186.yml Updated ruby-advisory-db ruby-advisory-db: - advisories: 956 advisories - last updated: 2025-01-10 09:46:29 -0800 - commit: b32baf6555837ed77f09eff462f8bbd6779d8d32 + advisories: 957 advisories + last updated: 2025-02-11 12:00:22 -0800 + commit: 44593edd43b5890a2b28b3febf5f18f776615bf1