Bug 2081096 (CVE-2022-29970)

Summary: CVE-2022-29970 sinatra: path traversal possible outside of public_dir when serving static files
Product: [Other] Security Response Reporter: Todd Cullum <tcullum>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bbuckingham, bcourt, btotty, caswilli, cfeist, cluster-maint, ehelms, idevat, jaruga, jsherril, kaycoth, kmalyjur, lkundrak, lzap, mhulan, mlisik, mmccune, mpospisi, myarboro, nmoumoul, omular, orabin, pcreech, rchan, ruby-packagers-sig, tojeline, valtri, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sinatra 2.2.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Sinatra when serving static files from the public directory. The requested path is not validated if it is in the public directory, allowing files outside of the public directory to be served.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-18 19:33:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2081138, 2081139, 2081142, 2081327, 2081328, 2081329, 2081330, 2081331, 2081332, 2081333, 2081334, 2081335, 2082104, 2082105, 2082106, 2082107, 2082108, 2082109, 2082110, 2082111, 2082112, 2082113, 2082114, 2082115, 2082116, 2082117, 2082118, 2082119, 2082120, 2082121, 2082122, 2082123    
Bug Blocks: 2081098    

Description Todd Cullum 2022-05-02 18:15:30 UTC 
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

Reference:
https://github.com/sinatra/sinatra/pull/1683/commits/462c3ca1db53ed3cfc394cf5948e9c948ad1c10e
Comment 1 Guilherme de Almeida Suckevicz 2022-05-02 20:36:12 UTC 
Created rubygem-sinatra tracking bugs for this issue:

Affects: epel-all [bug 2081138]
Affects: fedora-all [bug 2081139]
Comment 7 errata-xmlrpc 2022-05-16 07:50:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:2255 https://access.redhat.com/errata/RHSA-2022:2255
Comment 8 errata-xmlrpc 2022-05-16 08:08:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:2253 https://access.redhat.com/errata/RHSA-2022:2253
Comment 9 errata-xmlrpc 2022-05-16 08:08:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:2256 https://access.redhat.com/errata/RHSA-2022:2256
Comment 10 errata-xmlrpc 2022-05-18 00:53:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:4587 https://access.redhat.com/errata/RHSA-2022:4587
Comment 11 errata-xmlrpc 2022-05-18 15:25:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:4661 https://access.redhat.com/errata/RHSA-2022:4661
Comment 12 Product Security DevOps Team 2022-05-18 19:33:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-29970
Comment 13 errata-xmlrpc 2022-11-16 13:32:16 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.12 for RHEL 8

Via RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506