Updated advisory posts against rubysec/ruby-advisory-db@f18c041

jasnow · RubySec CI · commit 997e516c7555 · 2025-04-30T02:13:53.000Z
diff --git a/advisories/_posts/2024-02-21-CVE-2024-26144.md b/advisories/_posts/2024-02-21-CVE-2024-26144.md
@@ -22,7 +22,11 @@ advisory:
 
     This vulnerability has been assigned the CVE identifier CVE-2024-26144.
 
-    Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7
+    Versions Affected: >= 5.2.0, < 7.1.0
+
+    Not affected: < 5.2.0, >= 7.1.0
+
+    Fixed Versions: 7.0.8.1, 6.1.7.7
 
     # Impact
 
@@ -51,4 +55,8 @@ advisory:
   patched_versions:
   - "~> 6.1.7, >= 6.1.7.7"
   - ">= 7.0.8.1"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-26144
+    - https://hackerone.com/reports/3082917
 ---
diff --git a/advisories/_posts/2024-08-22-CVE-2024-43398.md b/advisories/_posts/2024-08-22-CVE-2024-43398.md
@@ -55,6 +55,7 @@ advisory:
     - https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
     - https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3
     - https://github.com/ruby/rexml/releases/tag/v3.3.6
+    - https://hackerone.com/reports/3002543
     - https://hackerone.com/reports/2666849
     - https://github.com/advisories/GHSA-vmwr-mc7x-5vc3
 ---
diff --git a/advisories/_posts/2025-02-26-CVE-2025-27219.md b/advisories/_posts/2025-02-26-CVE-2025-27219.md
@@ -41,5 +41,6 @@ advisory:
     url:
     - https://www.cve.org/CVERecord?id=CVE-2025-27219
     - https://www.suse.com/security/cve/CVE-2025-27219.html
+    - https://hackerone.com/reports/3013913
     - https://www.ruby-lang.org/en/news/2025/02/26/security-advisories
 ---
diff --git a/advisories/_posts/2025-04-28-CVE-2025-43857.md b/advisories/_posts/2025-04-28-CVE-2025-43857.md
@@ -0,0 +1,131 @@
+---
+layout: advisory
+title: 'CVE-2025-43857 (net-imap): net-imap rubygem vulnerable to possible DoS by
+  memory exhaustion'
+comments: false
+categories:
+- net-imap
+advisory:
+  gem: net-imap
+  cve: 2025-43857
+  ghsa: j3g3-5qv5-52mj
+  url: https://github.com/ruby/net-imap/security/advisories/GHSA-j3g3-5qv5-52mj
+  title: net-imap rubygem vulnerable to possible DoS by memory exhaustion
+  date: 2025-04-28
+  description: |
+    ### Summary
+
+    There is a possibility for denial of service by memory exhaustion
+    when `net-imap` reads server responses.  At any time while the client
+    is connected, a malicious server can send can send a "literal" byte
+    count, which is automatically read by the client's receiver thread.
+    The response reader immediately allocates memory for the number of
+    bytes indicated by the server response.
+
+    This should not be an issue when securely connecting to trusted IMAP
+    servers that are well-behaved.  It can affect insecure connections
+    and buggy, untrusted, or compromised servers (for example, connecting
+    to a user supplied hostname).
+
+    ### Details
+
+    The IMAP protocol allows "literal" strings to be sent in responses,
+    prefixed with their size in curly braces (e.g. `{1234567890}`).
+    When `Net::IMAP` receives a response containing a literal string,
+    it calls `IO#read` with that size.  When called with a size,
+    `IO#read` immediately allocates memory to buffer the entire string
+    before processing continues.  The server does not need to send any
+    more data.  There is no limit on the size of literals that will be
+    accepted.
+
+    ### Fix
+    #### Upgrade
+    Users should upgrade to `net-imap` 0.5.7 or later.  A configurable
+    `max_response_size` limit has been added to `Net::IMAP`'s response
+    reader.  The `max_response_size` limit has also been backported to
+    `net-imap` 0.2.5, 0.3.9, and 0.4.20.
+
+    To set a global value for `max_response_size`, users must upgrade
+    to `net-imap` ~> 0.4.20, or > 0.5.7.
+
+    #### Configuration
+
+    To avoid backward compatibility issues for secure connections to
+    trusted well-behaved servers, the default `max_response_size` for
+    `net-imap` 0.5.7 is _very high_ (512MiB), and the default
+    `max_response_size` for `net-imap` ~> 0.4.20, ~> 0.3.9, and 0.2.5
+    is `nil` (unlimited).
+
+    When connecting to untrusted servers or using insecure connections,
+    a much lower `max_response_size` should be used.
+    ```ruby
+    # Set the global max_response_size (only ~> v0.4.20, > 0.5.7)
+    Net::IMAP.config.max_response_size = 256 << 10 # 256 KiB
+
+    # Set when creating the connection
+    imap = Net::IMAP.new(hostname, ssl: true,
+                         max_response_size: 16 << 10) # 16 KiB
+
+    # Set after creating the connection
+    imap.max_response_size = 256 << 20 # 256 KiB
+    # flush currently waiting read, to ensure the new setting is loaded
+    imap.noop
+    ```
+
+    _**Please Note:**_ `max_response_size` only limits the size _per
+    response_.  It does not prevent a flood of individual responses
+    and it does not limit how many unhandled responses may be stored
+    on the responses hash.  Users are responsible for adding response
+    handlers to prune excessive unhandled responses.
+
+    #### Compatibility with lower `max_response_size`
+
+    A lower `max_response_size` may cause a few commands which
+    legitimately return very large responses to raise an exception
+    and close the connection.  The `max_response_size` could be
+    temporarily set to a higher value, but paginated or limited
+    versions of commands should be used whenever possible.  For
+    example, to fetch message bodies:
+
+    ```ruby
+    imap.max_response_size = 256 << 20 # 256 KiB
+    imap.noop # flush currently waiting read
+
+    # fetch a message in 252KiB chunks
+    size = imap.uid_fetch(uid, "RFC822.SIZE").first.rfc822_size
+    limit = 252 << 10
+    message = ((0..size)limit).each_with_object("") {|offset, str|
+      str << imap.uid_fetch(uid,
+      "BODY.PEEK[]<#{offset}.#{limit}>").first.message(offset:)
+    }
+
+    imap.max_response_size = 16 << 20 # 16 KiB
+    imap.noop # flush currently waiting read
+    ```
+
+    ### References
+
+    * PR to introduce max_response_size: https://github.com/ruby/net-imap/pull/442
+      * Specific commit: [0ae8576c1 - lib/net/imap/response_reader.rb](https://github.com/ruby/net-imap/pull/444/commits/0ae8576c1a90bcd9573f81bdad4b4b824642d105#diff-53721cb4d9c3fb86b95cc8476ca2df90968ad8c481645220c607034399151462)
+    * Backport to 0.4: https://github.com/ruby/net-imap/pull/445
+    * Backport to 0.3: https://github.com/ruby/net-imap/pull/446
+    * Backport to 0.2: https://github.com/ruby/net-imap/pull/447
+  cvss_v4: 6.0
+  patched_versions:
+  - "~> 0.2.5"
+  - "~> 0.3.9"
+  - "~> 0.4.20"
+  - ">= 0.5.7"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-43857
+    - https://github.com/ruby/net-imap/security/advisories/GHSA-j3g3-5qv5-52mj
+    - https://github.com/ruby/net-imap/pull/442
+    - https://github.com/ruby/net-imap/pull/444/commits/0ae8576c1a90bcd9573f81bdad4b4b824642d105#diff-53721cb4d9c3fb86b95cc8476ca2df90968ad8c481645220c607034399151462
+    - https://github.com/ruby/net-imap/pull/445
+    - https://github.com/ruby/net-imap/pull/446
+    - https://github.com/ruby/net-imap/pull/447
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-43857
+    - https://github.com/advisories/GHSA-j3g3-5qv5-52mj
+    - https://hackerone.com/reports/3108869
+---
