Fix information disclosure via MITM attack bypassing TLS in net-imap.

Fixes CVE-2026-42246.

Test commits from PR were dropped. The gem does not have tests in the ruby tar.

Backported from
https://github.com/ruby/net-imap/commit/705aa59
https://github.com/ruby/net-imap/commit/038ae35

Resolves: RHEL-181769
This commit is contained in:
Jarek Prokop 2026-06-11 16:30:55 +02:00
parent ddc73cf564
commit dac8422aaf
2 changed files with 125 additions and 0 deletions

View File

@ -305,6 +305,11 @@ Patch17: rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-by
# https://github.com/ruby/net-imap/commit/0560d26
# https://github.com/ruby/net-imap/commit/bfdae21
Patch18: rubygem-net-imap-0.4.24-DoS-via-crafted-IMAP-responses-CVE-2026-42245.patch
# Test commits from PR were dropped. The gem does not have tests in the ruby tar.
# Backported from
# https://github.com/ruby/net-imap/commit/705aa59
# https://github.com/ruby/net-imap/commit/038ae35
Patch19: rubygem-net-imap-0.4.24-Information-disclosure-via-MITM-attack-bypassing-TLS-2026-42246.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%{?with_rubypick:Suggests: rubypick}
@ -792,6 +797,7 @@ analysis result in RBS format, a standard type description format for Ruby
pushd .bundle/gems/net-imap-%{net_imap_version}
%patch 18 -p1
%patch 19 -p1
popd
# Provide an example of usage of the tapset:
@ -1801,6 +1807,9 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
* Thu Jun 11 2026 Jarek Prokop <jprokop@redhat.com> - 3.3.10-13
- Fix DoS via crafted IMAP responses in net-imap. (CVE-2026-42245)
Resolves: RHEL-181681
- Fix information disclosure via MITM attack bypassing TLS in net-imap.
(CVE-2026-42246)
Resolves: RHEL-181769
* Tue Apr 28 2026 Jarek Prokop <jprokop@redhat.com> - 3.3.10-12
- Fix arbitrary code execution via deserialization bypass in ERB. (CVE-2026-41316)

View File

@ -0,0 +1,116 @@
From 4244a308dc09682079ef461b68b08ad4ad9e5a57 Mon Sep 17 00:00:00 2001
From: nick evans <nick@rubinick.dev>
Date: Fri, 27 Mar 2026 17:31:11 -0400
Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=8D=92=20pick=2062eea6ffe:=20?=
=?UTF-8?q?=F0=9F=94=92=F0=9F=A5=85=20Ensure=20STARTTLS=20tagged=20respons?=
=?UTF-8?q?e=20was=20handled=20[backport=20#664]?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Taking a "belt-and-suspenders" approach to a STARTTLS stripping attack:
This handles `STARTTLS` as a special-case: if the `STARTTLS` handler
did not run, for _whatever_ reason, an exception _must_ be raised and
the connection dropped.
_No_ command should ever receive a tagged `OK` prior to completely
sending the command. But `STARTTLS` is security-sensitive enough to
warrant this special-case handler.
---
lib/net/imap.rb | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/lib/net/imap.rb b/lib/net/imap.rb
index 84bc094..a8ac7d8 100644
--- a/lib/net/imap.rb
+++ b/lib/net/imap.rb
@@ -1294,9 +1294,11 @@ module Net
#
def starttls(**options)
@ssl_ctx_params, @ssl_ctx = build_ssl_ctx(options)
+ handled = false
error = nil
ok = send_command("STARTTLS") do |resp|
if resp.kind_of?(TaggedResponse) && resp.name == "OK"
+ handled = true
clear_cached_capabilities
clear_responses
start_tls_session
@@ -1308,6 +1310,13 @@ module Net
disconnect
raise error
end
+ unless handled
+ disconnect
+ raise InvalidResponseError,
+ "STARTTLS handler was bypassed, although server responded %p" % [
+ ok.raw_data.chomp
+ ]
+ end
ok
end
From 00192b9a410251c5ed76c96be564d739cba67008 Mon Sep 17 00:00:00 2001
From: nick evans <nick@rubinick.dev>
Date: Fri, 27 Mar 2026 18:00:09 -0400
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=8D=92=20pick=2024d5c773d:=20?=
=?UTF-8?q?=F0=9F=94=92=F0=9F=A5=85=20Handle=20tagged=20"OK"=20to=20incomp?=
=?UTF-8?q?lete=20command=20[backport=20#664]?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Taking a "belt-and-suspenders" approach:
This is a potential problem for any command which registers a response
handler: a malicious server can easily guess what the next tag will be,
and send an `OK` response _before_ the client the response handler is
attached.
`STARTTLS` is an extreme example of this issue: if the `STARTTLS`
handler does not run, then `#starttls` will not start the TLS session,
and the connection is not secured, _but no error is raised._
We should _also_ attach the response handler before sending the `CRLF`,
but that is neither necessary (the response handler will added before
the `synchronize` mutex is unlocked) nor sufficient (the fake `OK` can
be sent _much_ earlier).
On the other hand, it _is_ okay for the server to send an error tagged
response (`NO` or `BAD`), before the sending the command has completed.
---
lib/net/imap.rb | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/lib/net/imap.rb b/lib/net/imap.rb
index a8ac7d8..b9072b1 100644
--- a/lib/net/imap.rb
+++ b/lib/net/imap.rb
@@ -3001,6 +3001,7 @@ module Net
put_string(" ")
send_data(i, tag)
end
+ guard_against_tagged_response_skipping_handler!(tag)
put_string(CRLF)
if cmd == "LOGOUT"
@logout_command_tag = tag
@@ -3016,6 +3017,17 @@ module Net
end
end
end
+ rescue InvalidResponseError
+ disconnect
+ raise
+ end
+
+ def guard_against_tagged_response_skipping_handler!(tag)
+ return unless (resp = @tagged_responses[tag])&.name&.upcase == "OK"
+ raise(InvalidResponseError,
+ "Server sent tagged 'OK' before command was finished: %p. " \
+ "This could indicate a malicious server or client-side " \
+ "command injection. Disconnecting." % [resp.raw_data.chomp])
end
def generate_tag