Fix for CVE-2026-42258.

Fix Net::IMAP command injection vulnerability via unvalidated Symbol arguments.

Advisory: https://github.com/advisories/GHSA-75xq-5h9v-w6px

Sourced from:
  - https://github.com/ruby/net-imap/commit/9db3e9d

Resolves: RHEL-181785
This commit is contained in:
tjuhasz 2026-06-18 15:38:16 +02:00
parent 82e2db5a23
commit 24e45038e0
2 changed files with 107 additions and 0 deletions

View File

@ -356,6 +356,12 @@ Patch13: rubygem-net-imap-0.6.2-ResponseReader-quadratic-complexity-CVE-2026-422
# - https://github.com/ruby/net-imap/commit/62eea6ff
# - https://github.com/ruby/net-imap/commit/24d5c773
Patch14: rubygem-net-imap-0.6.2-STARTTLS-stripping-vulnerability-CVE-2026-42246.patch
# CVE-2026-42258
# Fix Net::IMAP command injection vulnerability via unvalidated Symbol arguments
# Advisory: https://github.com/advisories/GHSA-75xq-5h9v-w6px
# Sourced from:
# - https://github.com/ruby/net-imap/commit/9db3e9d
Patch15: rubygem-net-imap-0.6.2-flag-symbol-validation-CVE-2026-42258.patch
%{?with_rubypick:Suggests: rubypick}
@ -524,6 +530,7 @@ popd
pushd .bundle/gems/net-imap-%{net_imap_version}
%patch 13 -p1
%patch 14 -p1
%patch 15 -p1
popd
# Provide an example of usage of the tapset:
@ -1672,6 +1679,8 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
Resolves: RHEL-181680
- Fix Net::IMAP STARTTLS stripping vulnerability (CVE-2026-42246)
Resolves: RHEL-181753
- Fix Net::IMAP command injection vulnerability via unvalidated Symbol arguments (CVE-2026-42258)
Resolves: RHEL-181785
* Wed Apr 29 2026 Tomas Juhasz <tjuhasz@redhat.com> - 4.0.3-34
- Upgrade to Ruby 4.0.3.

View File

@ -0,0 +1,98 @@
From 9db3e9d Mon Sep 17 00:00:00 2001
From: nick evans <nick@rubinick.dev>
Date: Thu, 19 Feb 2026 15:06:08 -0500
Subject: [PATCH] =?UTF-8?q?=F0=9F=A5=85=20Strictly=20validate=20symbol=20(?=
=?UTF-8?q?\flag)=20arguments?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flags should not allow `atom-specials`.
Previously, no validation was done on symbol data. Sending atom or flag
args which contain atom specials could lead to various errors.
Although this could theoretically include injection attacks, this is not
considered to be a critical vulnerability in `net-imap`, for the
following reason: Valid "system flag" inputs are restricted to an
enumerated set of RFC-defined flag types. User-defined "keyword" flags
are sent as atoms, not flags, which use string inputs (strings which
can't be sent as an atom will be quoted or sent as a literal). `\Seen`
as a flag (symbol argument) is semantically different from `Seen` as a
keyword (string argument). So there is no scenario where it is
appropriate to call `#to_sym` on unvetted user input. Any code which
calls `#to_sym` indiscriminately on user-input is already buggy.
Nevertheless, users should reasonably be able to rely on `net-imap` to
do very basic input validation on its basic input types.
---
lib/net/imap/command_data.rb | 33 +++++++++++++++++++++++++++------
1 file changed, 27 insertions(+), 6 deletions(-)
diff --git a/lib/net/imap/command_data.rb b/lib/net/imap/command_data.rb
index 02b9a61..2671d5d 100644
--- a/lib/net/imap/command_data.rb
+++ b/lib/net/imap/command_data.rb
@@ -25,6 +25,7 @@ module Net
end
when Time, Date, DateTime
when Symbol
+ Flag.validate(data)
else
data.validate
end
@@ -45,7 +46,7 @@ module Net
when Date
send_date_data(data)
when Symbol
- send_symbol_data(data)
+ Flag[data].send_data(self, tag)
else
data.send_data(self, tag)
end
@@ -115,11 +116,13 @@ module Net
def send_date_data(date) put_string Net::IMAP.encode_date(date) end
def send_time_data(time) put_string Net::IMAP.encode_time(time) end
- def send_symbol_data(symbol)
- put_string("\\" + symbol.to_s)
- end
-
CommandData = Data.define(:data) do # :nodoc:
+ def self.validate(...)
+ data = new(...)
+ data.validate
+ data
+ end
+
def send_data(imap, tag)
raise NoMethodError, "#{self.class} must implement #{__method__}"
end
@@ -135,8 +138,26 @@ module Net
end
class Atom < CommandData # :nodoc:
+ def initialize(**)
+ super
+ validate
+ end
+
+ def validate
+ data.to_s.ascii_only? \
+ or raise DataFormatError, "#{self.class} must be ASCII only"
+ data.match?(ResponseParser::Patterns::ATOM_SPECIALS) \
+ and raise DataFormatError, "#{self.class} must not contain atom-specials"
+ end
+
def send_data(imap, tag)
- imap.__send__(:put_string, data)
+ imap.__send__(:put_string, data.to_s)
+ end
+ end
+
+ class Flag < Atom # :nodoc:
+ def send_data(imap, tag)
+ imap.__send__(:put_string, "\\#{data}")
end
end