diff --git a/ruby4.0.spec b/ruby4.0.spec index dd02a5a..d6d57c2 100644 --- a/ruby4.0.spec +++ b/ruby4.0.spec @@ -356,6 +356,12 @@ Patch13: rubygem-net-imap-0.6.2-ResponseReader-quadratic-complexity-CVE-2026-422 # - https://github.com/ruby/net-imap/commit/62eea6ff # - https://github.com/ruby/net-imap/commit/24d5c773 Patch14: rubygem-net-imap-0.6.2-STARTTLS-stripping-vulnerability-CVE-2026-42246.patch +# CVE-2026-42258 +# Fix Net::IMAP command injection vulnerability via unvalidated Symbol arguments +# Advisory: https://github.com/advisories/GHSA-75xq-5h9v-w6px +# Sourced from: +# - https://github.com/ruby/net-imap/commit/9db3e9d +Patch15: rubygem-net-imap-0.6.2-flag-symbol-validation-CVE-2026-42258.patch %{?with_rubypick:Suggests: rubypick} @@ -524,6 +530,7 @@ popd pushd .bundle/gems/net-imap-%{net_imap_version} %patch 13 -p1 %patch 14 -p1 +%patch 15 -p1 popd # Provide an example of usage of the tapset: @@ -1672,6 +1679,8 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \ Resolves: RHEL-181680 - Fix Net::IMAP STARTTLS stripping vulnerability (CVE-2026-42246) Resolves: RHEL-181753 +- Fix Net::IMAP command injection vulnerability via unvalidated Symbol arguments (CVE-2026-42258) + Resolves: RHEL-181785 * Wed Apr 29 2026 Tomas Juhasz - 4.0.3-34 - Upgrade to Ruby 4.0.3. diff --git a/rubygem-net-imap-0.6.2-flag-symbol-validation-CVE-2026-42258.patch b/rubygem-net-imap-0.6.2-flag-symbol-validation-CVE-2026-42258.patch new file mode 100644 index 0000000..bc61d61 --- /dev/null +++ b/rubygem-net-imap-0.6.2-flag-symbol-validation-CVE-2026-42258.patch @@ -0,0 +1,98 @@ +From 9db3e9d Mon Sep 17 00:00:00 2001 +From: nick evans +Date: Thu, 19 Feb 2026 15:06:08 -0500 +Subject: [PATCH] =?UTF-8?q?=F0=9F=A5=85=20Strictly=20validate=20symbol=20(?= + =?UTF-8?q?\flag)=20arguments?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Flags should not allow `atom-specials`. + +Previously, no validation was done on symbol data. Sending atom or flag +args which contain atom specials could lead to various errors. + +Although this could theoretically include injection attacks, this is not +considered to be a critical vulnerability in `net-imap`, for the +following reason: Valid "system flag" inputs are restricted to an +enumerated set of RFC-defined flag types. User-defined "keyword" flags +are sent as atoms, not flags, which use string inputs (strings which +can't be sent as an atom will be quoted or sent as a literal). `\Seen` +as a flag (symbol argument) is semantically different from `Seen` as a +keyword (string argument). So there is no scenario where it is +appropriate to call `#to_sym` on unvetted user input. Any code which +calls `#to_sym` indiscriminately on user-input is already buggy. + +Nevertheless, users should reasonably be able to rely on `net-imap` to +do very basic input validation on its basic input types. +--- + lib/net/imap/command_data.rb | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +diff --git a/lib/net/imap/command_data.rb b/lib/net/imap/command_data.rb +index 02b9a61..2671d5d 100644 +--- a/lib/net/imap/command_data.rb ++++ b/lib/net/imap/command_data.rb +@@ -25,6 +25,7 @@ module Net + end + when Time, Date, DateTime + when Symbol ++ Flag.validate(data) + else + data.validate + end +@@ -45,7 +46,7 @@ module Net + when Date + send_date_data(data) + when Symbol +- send_symbol_data(data) ++ Flag[data].send_data(self, tag) + else + data.send_data(self, tag) + end +@@ -115,11 +116,13 @@ module Net + def send_date_data(date) put_string Net::IMAP.encode_date(date) end + def send_time_data(time) put_string Net::IMAP.encode_time(time) end + +- def send_symbol_data(symbol) +- put_string("\\" + symbol.to_s) +- end +- + CommandData = Data.define(:data) do # :nodoc: ++ def self.validate(...) ++ data = new(...) ++ data.validate ++ data ++ end ++ + def send_data(imap, tag) + raise NoMethodError, "#{self.class} must implement #{__method__}" + end +@@ -135,8 +138,26 @@ module Net + end + + class Atom < CommandData # :nodoc: ++ def initialize(**) ++ super ++ validate ++ end ++ ++ def validate ++ data.to_s.ascii_only? \ ++ or raise DataFormatError, "#{self.class} must be ASCII only" ++ data.match?(ResponseParser::Patterns::ATOM_SPECIALS) \ ++ and raise DataFormatError, "#{self.class} must not contain atom-specials" ++ end ++ + def send_data(imap, tag) +- imap.__send__(:put_string, data) ++ imap.__send__(:put_string, data.to_s) ++ end ++ end ++ ++ class Flag < Atom # :nodoc: ++ def send_data(imap, tag) ++ imap.__send__(:put_string, "\\#{data}") + end + end +