Source: ruby3.3
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for ruby3.3.

CVE-2026-47240[0]:
| Net::IMAP implements Internet Message Access Protocol (IMAP) client
| functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP
| commands accept a "raw data" argument that is sent verbatim after
| validation to prevent command injection. However, if a server does
| not support non-synchronizing literals, it may still be possible to
| inject arbitrary IMAP commands inside non-synchronizing literals.  A
| server without support for non-synchronizing literals may interpret
| the "+}\r\n" as the end of a malformed command line and respond with
| a tagged BAD. In that case, the contents of the literal will be
| interpreted as one or more new pipelined commands, allowing a CRLF
| command injection attack to succeed. This affects criteria for
| #search and #uid_search; search_keys for #sort, #thread, #uid_sort,
| and #uid_thread; and attr for #fetch and #uid_fetch. This
| vulnerability is fixed in 0.6.5 and 0.5.15.

https://github.com/ruby/net-imap/security/advisories/GHSA-8p34-64r3-mwg8

CVE-2026-47241[1]:
| Net::IMAP implements Internet Message Access Protocol (IMAP) client
| functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP
| commands accept a raw string argument which is only validated to
| prevent CRLF injection and then sent verbatim. If this string is
| derived from user-controlled input, an attacker can force the next
| command to be absorbed as a continuation of the first command. This
| will cause the first command to eventually fail, but also prevents
| it from returning until another command is sent (from another
| thread). That other command will not return until the connection is
| closed. This vulnerability is fixed in 0.6.5 and 0.5.15.

https://github.com/ruby/net-imap/security/advisories/GHSA-c4fp-cxrr-mj66

CVE-2026-47242[2]:
| Net::IMAP implements Internet Message Access Protocol (IMAP) client
| functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAP#id
| is called with a hash argument, although the ID field value strings
| are correctly quoted (escaping quoted specials), they were not
| validated to prohibit CRLF sequences. While Net::IMAP#enable does
| process its arguments for aliases, it does not validate them as
| valid atoms (or as a list of valid atoms). The #to_s value is sent
| verbatim. Arguments to either command could be used by an attacker
| to inject arbitrary IMAP commands. This vulnerability is fixed in
| 0.6.5 and 0.5.15.

https://github.com/ruby/net-imap/security/advisories/GHSA-46q3-7gv7-qmgg


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-47240
    https://www.cve.org/CVERecord?id=CVE-2026-47240
[1] https://security-tracker.debian.org/tracker/CVE-2026-47241
    https://www.cve.org/CVERecord?id=CVE-2026-47241
[2] https://security-tracker.debian.org/tracker/CVE-2026-47242
    https://www.cve.org/CVERecord?id=CVE-2026-47242

Please adjust the affected versions in the BTS as needed.

_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

Reply via email to