Category: Open Source

There is a possibility for DoS by in the net-imap gem. This vulnerability has been assigned the CVE identifier CVE-2025-25186. We recommend upgrading the net-imap gem.

Details

A malicious server can send highly compressed uid-set data which is automatically read by the client’s receiver thread. The response parser uses Range#to_a to convert the uid-set data into arrays of integers, with no limitation on the expanded size of the ranges.

Please update net-imap gem to version 0.3.8, 0.4.19, 0.5.6, or later.

Affected versions

• net-imap gem versions 0.3.2 to 0.3.7, 0.4.0 to 0.4.18, and 0.5.0 to 0.5.5 (inclusive).

Credits

Thanks to manun for discovering this issue.

History

• Originally published at 2025-02-10 03:00:00 (UTC)

Posted by nevans on 10 Feb 2025

Let’s celebrate the people behind free software and tell them how much we appreciate their work!

You might think the world of Linux distributions is a rather boring, settled affair, but there’s actually a ton of interesting experimentation going on in the Linux world. From things like NixOS with its unique packaging framework, to the various immutable distributions out there like the Fedora Atomic editions, there’s enough uniqueness to go around to find a lid for every pot. Oasis Linux surely falls into this category. One of its main unique characteristics is that it’s entirely statically linked. All software in the base system is linked statically, including the display server (velox) and web browser (netsurf). Compared to dynamic linking, this is a simpler mechanism which eliminates problems with upgrading libraries, and results in completely self-contained binaries that can easily be copied to other systems. ↫ Oasis GitHub page That’s not all it has to offer, though. It also offers fast and 100% reproducible builds, it’s mostly ISO C conformant, and it has minimal bootstrap dependencies – all you need is a “POSIX system with git, lua, curl, a sha256 utility, standard compression utilities, and an x86_64-linux-musl cross compiler”. The ISO C-comformance is a crucial part of one of Oasis’ goals: to be buildable with cproc, a small, very strict C11 compiler. It has no package manager, but any software outside of Oasis itself can be installed and managed with pkgsrc or Nix. Another important goal of the project is to be extremely easy to understand, and its /etc directory is honestly a sight to behold, and as the project proudly claims, the most complex file in there is rc.init at a mere 16 lines. The configuration files are indeed incredibly easy to understand, which is a breath of fresh air compared to the archaic stuff in commercial UNIX or the complex stuff in modern Linux distributions that I normally deal with. I’m not sure is Oasis would make for a good, usable day-to-day operating system, but I definitely like what they’re putting down.