diff --git a/ruby.spec b/ruby.spec index f446b2c..ed27e74 100644 --- a/ruby.spec +++ b/ruby.spec @@ -305,6 +305,11 @@ Patch17: rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-by # https://github.com/ruby/net-imap/commit/0560d26 # https://github.com/ruby/net-imap/commit/bfdae21 Patch18: rubygem-net-imap-0.4.24-DoS-via-crafted-IMAP-responses-CVE-2026-42245.patch +# Test commits from PR were dropped. The gem does not have tests in the ruby tar. +# Backported from +# https://github.com/ruby/net-imap/commit/705aa59 +# https://github.com/ruby/net-imap/commit/038ae35 +Patch19: rubygem-net-imap-0.4.24-Information-disclosure-via-MITM-attack-bypassing-TLS-2026-42246.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} %{?with_rubypick:Suggests: rubypick} @@ -792,6 +797,7 @@ analysis result in RBS format, a standard type description format for Ruby pushd .bundle/gems/net-imap-%{net_imap_version} %patch 18 -p1 +%patch 19 -p1 popd # Provide an example of usage of the tapset: @@ -1801,6 +1807,9 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \ * Thu Jun 11 2026 Jarek Prokop - 3.3.10-13 - Fix DoS via crafted IMAP responses in net-imap. (CVE-2026-42245) Resolves: RHEL-181681 +- Fix information disclosure via MITM attack bypassing TLS in net-imap. + (CVE-2026-42246) + Resolves: RHEL-181769 * Tue Apr 28 2026 Jarek Prokop - 3.3.10-12 - Fix arbitrary code execution via deserialization bypass in ERB. (CVE-2026-41316) diff --git a/rubygem-net-imap-0.4.24-Information-disclosure-via-MITM-attack-bypassing-TLS-2026-42246.patch b/rubygem-net-imap-0.4.24-Information-disclosure-via-MITM-attack-bypassing-TLS-2026-42246.patch new file mode 100644 index 0000000..59ca527 --- /dev/null +++ b/rubygem-net-imap-0.4.24-Information-disclosure-via-MITM-attack-bypassing-TLS-2026-42246.patch @@ -0,0 +1,116 @@ +From 4244a308dc09682079ef461b68b08ad4ad9e5a57 Mon Sep 17 00:00:00 2001 +From: nick evans +Date: Fri, 27 Mar 2026 17:31:11 -0400 +Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=8D=92=20pick=2062eea6ffe:=20?= + =?UTF-8?q?=F0=9F=94=92=F0=9F=A5=85=20Ensure=20STARTTLS=20tagged=20respons?= + =?UTF-8?q?e=20was=20handled=20[backport=20#664]?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Taking a "belt-and-suspenders" approach to a STARTTLS stripping attack: + +This handles `STARTTLS` as a special-case: if the `STARTTLS` handler +did not run, for _whatever_ reason, an exception _must_ be raised and +the connection dropped. + +_No_ command should ever receive a tagged `OK` prior to completely +sending the command. But `STARTTLS` is security-sensitive enough to +warrant this special-case handler. +--- + lib/net/imap.rb | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/net/imap.rb b/lib/net/imap.rb +index 84bc094..a8ac7d8 100644 +--- a/lib/net/imap.rb ++++ b/lib/net/imap.rb +@@ -1294,9 +1294,11 @@ module Net + # + def starttls(**options) + @ssl_ctx_params, @ssl_ctx = build_ssl_ctx(options) ++ handled = false + error = nil + ok = send_command("STARTTLS") do |resp| + if resp.kind_of?(TaggedResponse) && resp.name == "OK" ++ handled = true + clear_cached_capabilities + clear_responses + start_tls_session +@@ -1308,6 +1310,13 @@ module Net + disconnect + raise error + end ++ unless handled ++ disconnect ++ raise InvalidResponseError, ++ "STARTTLS handler was bypassed, although server responded %p" % [ ++ ok.raw_data.chomp ++ ] ++ end + ok + end + + +From 00192b9a410251c5ed76c96be564d739cba67008 Mon Sep 17 00:00:00 2001 +From: nick evans +Date: Fri, 27 Mar 2026 18:00:09 -0400 +Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=8D=92=20pick=2024d5c773d:=20?= + =?UTF-8?q?=F0=9F=94=92=F0=9F=A5=85=20Handle=20tagged=20"OK"=20to=20incomp?= + =?UTF-8?q?lete=20command=20[backport=20#664]?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Taking a "belt-and-suspenders" approach: + +This is a potential problem for any command which registers a response +handler: a malicious server can easily guess what the next tag will be, +and send an `OK` response _before_ the client the response handler is +attached. + +`STARTTLS` is an extreme example of this issue: if the `STARTTLS` +handler does not run, then `#starttls` will not start the TLS session, +and the connection is not secured, _but no error is raised._ + +We should _also_ attach the response handler before sending the `CRLF`, +but that is neither necessary (the response handler will added before +the `synchronize` mutex is unlocked) nor sufficient (the fake `OK` can +be sent _much_ earlier). + +On the other hand, it _is_ okay for the server to send an error tagged +response (`NO` or `BAD`), before the sending the command has completed. +--- + lib/net/imap.rb | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/net/imap.rb b/lib/net/imap.rb +index a8ac7d8..b9072b1 100644 +--- a/lib/net/imap.rb ++++ b/lib/net/imap.rb +@@ -3001,6 +3001,7 @@ module Net + put_string(" ") + send_data(i, tag) + end ++ guard_against_tagged_response_skipping_handler!(tag) + put_string(CRLF) + if cmd == "LOGOUT" + @logout_command_tag = tag +@@ -3016,6 +3017,17 @@ module Net + end + end + end ++ rescue InvalidResponseError ++ disconnect ++ raise ++ end ++ ++ def guard_against_tagged_response_skipping_handler!(tag) ++ return unless (resp = @tagged_responses[tag])&.name&.upcase == "OK" ++ raise(InvalidResponseError, ++ "Server sent tagged 'OK' before command was finished: %p. " \ ++ "This could indicate a malicious server or client-side " \ ++ "command injection. Disconnecting." % [resp.raw_data.chomp]) + end + + def generate_tag