[DRE-maint] Bug#1109345: unblock: ruby-rack-session/2.1.1-0.1

Bastian Germann bage at debian.org
Tue Jul 15 15:18:17 BST 2025 

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: ruby-rack-session at packages.debian.org
Control: affects -1 + src:ruby-rack-session
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package ruby-rack-session

[ Reason ]
Grave bug #1104928.

[ Impact ]
Security issue enables session recovery.

[ Tests ]
The debdiff introduces a new test to check for the vulnerability.

[ Risks ]
None.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
I have handled this as NMU.

unblock ruby-rack-session/2.1.1-0.1
-------------- next part --------------
diff -Nru ruby-rack-session-2.1.0/debian/changelog ruby-rack-session-2.1.1/debian/changelog
--- ruby-rack-session-2.1.0/debian/changelog	2025-03-08 16:10:24.000000000 +0100
+++ ruby-rack-session-2.1.1/debian/changelog	2025-07-15 13:10:44.000000000 +0200
@@ -1,3 +1,10 @@
+ruby-rack-session (2.1.1-0.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * New upstream version 2.1.1. (Closes: #1104928, CVE-2025-46336)
+
+ -- Bastian Germann <bage at debian.org>  Tue, 15 Jul 2025 13:10:44 +0200
+
 ruby-rack-session (2.1.0-1) unstable; urgency=medium
 
   * New upstream version 2.1.0.
diff -Nru ruby-rack-session-2.1.0/lib/rack/session/pool.rb ruby-rack-session-2.1.1/lib/rack/session/pool.rb
--- ruby-rack-session-2.1.0/lib/rack/session/pool.rb	2025-01-04 08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/lib/rack/session/pool.rb	2025-05-06 12:54:57.000000000 +0200
@@ -53,6 +53,7 @@
 
       def write_session(req, session_id, new_session, options)
         @mutex.synchronize do
+          return false unless get_session_with_fallback(session_id)
           @pool.store session_id.private_id, new_session
           session_id
         end
@@ -62,7 +63,12 @@
         @mutex.synchronize do
           @pool.delete(session_id.public_id)
           @pool.delete(session_id.private_id)
-          generate_sid(use_mutex: false) unless options[:drop]
+
+          unless options[:drop]
+            sid = generate_sid(use_mutex: false)
+            @pool.store(sid.private_id, {})
+            sid
+          end
         end
       end
 
diff -Nru ruby-rack-session-2.1.0/lib/rack/session/version.rb ruby-rack-session-2.1.1/lib/rack/session/version.rb
--- ruby-rack-session-2.1.0/lib/rack/session/version.rb	2025-01-04 08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/lib/rack/session/version.rb	2025-05-06 12:54:57.000000000 +0200
@@ -5,6 +5,6 @@
 
 module Rack
   module Session
-    VERSION = "2.1.0"
+    VERSION = "2.1.1"
   end
 end
diff -Nru ruby-rack-session-2.1.0/releases.md ruby-rack-session-2.1.1/releases.md
--- ruby-rack-session-2.1.0/releases.md	2025-01-04 08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/releases.md	2025-05-06 12:54:57.000000000 +0200
@@ -1,5 +1,9 @@
 # Releases
 
+## v2.1.1
+
+  - Prevent `Rack::Session::Pool` from recreating deleted sessions [CVE-2025-46336](https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj).
+
 ## v2.1.0
 
   - Improved compatibility with Ruby 3.3+ and Rack 3+.
diff -Nru ruby-rack-session-2.1.0/test/spec_session_pool.rb ruby-rack-session-2.1.1/test/spec_session_pool.rb
--- ruby-rack-session-2.1.0/test/spec_session_pool.rb	2025-01-04 08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/test/spec_session_pool.rb	2025-05-06 12:54:57.000000000 +0200
@@ -288,4 +288,52 @@
     res = Rack::MockRequest.new(app).get("/")
     res["Set-Cookie"].must_be_nil
   end
+
+  user_id_session = Rack::Lint.new(lambda do |env|
+    session = env["rack.session"]
+
+    case env["PATH_INFO"]
+    when "/login"
+      session[:user_id] = 1
+    when "/logout"
+      if session[:user_id].nil?
+        raise "User not logged in"
+      end
+
+      session.delete(:user_id)
+      session.options[:renew] = true
+    when "/slow"
+      Fiber.yield
+    end
+
+    Rack::Response.new(session.inspect).to_a
+  end)
+
+  it "doesn't allow session id to be reused" do
+    app = Rack::Session::Pool.new(user_id_session)
+
+    login_response = Rack::MockRequest.new(app).get("/login")
+    login_cookie = login_response["Set-Cookie"]
+
+    slow_request = Fiber.new do
+      Rack::MockRequest.new(app).get("/slow", "HTTP_COOKIE" => login_cookie)
+    end
+    slow_request.resume
+
+    # Check that the session is valid:
+    response = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => login_cookie)
+    response.body.must_equal({"user_id" => 1}.to_s)
+
+    logout_response = Rack::MockRequest.new(app).get("/logout", "HTTP_COOKIE" => login_cookie)
+    logout_cookie = logout_response["Set-Cookie"]
+
+    # Check that the session id is different after logout:
+    login_cookie[session_match].wont_equal logout_cookie[session_match]
+
+    slow_response = slow_request.resume
+
+    # Check that the cookie can't be reused:
+    response = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => login_cookie)
+    response.body.must_equal "{}"
+  end
 end

More information about the Pkg-ruby-extras-maintainers mailing list