Bug 11276

Summary: ruby-RubyGems new security issue CVE-2013-4287
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: fundawang, pterjan, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/567934/
Whiteboard: has_procedure mga3-64-ok mga3-32-ok
Source RPM: ruby-RubyGems-1.8.24-9.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-09-23 19:40:52 CEST 
Fedora has issued an advisory on September 11:
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115920.html

The issue is fixed upstream in 2.0.8, which Fedora updated to.

For Fedora 18 (with version 1.8.x), they fixed it with this patch:
http://pkgs.fedoraproject.org/cgit/rubygems.git/plain/rubygems-1.8.25-CVE-2013-4287.patch?h=f18&id=45c917db568cb88d3d37fe858aca0024bf10461f

That should apply to our package in Mageia 3.  It was also fixed upstream in 1.8.26.  Here is the RedHat bug for this:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4287

I don't believe Mageia 2 is affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-09-23 19:41:08 CEST

CC: (none) => pterjan
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2013-09-24 04:39:57 CEST 
Updated packages uploaded for Mageia 3 and Cauldron by Funda.  Thanks Funda!

Advisory:
========================

Updated ruby-RubyGems package fixes security vulnerability:

RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to a backtracking regular expression.  For specially
crafted RubyGems versions attackers can cause denial of service through CPU
consumption (CVE-2013-4287).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4287
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115886.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4287
========================

Updated packages in core/updates_testing:
========================
ruby-RubyGems-1.8.26-1.mga3

from ruby-RubyGems-1.8.26-1.mga3.src.rpm

CC: (none) => fundawang
Version: Cauldron => 3
Assignee: fundawang => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 2 claire robinson 2013-09-24 17:45:17 CEST 
This is to do with 'gem build' mainly. There is some testing info for that here
http://guides.rubygems.org/make-your-own-gem/

Whiteboard: (none) => has_procedure

Comment 3 claire robinson 2013-09-24 17:47:56 CEST 
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1002364#c14

They seem to be expecting an updated patch, can this be confirmed ready before we go further please.
Comment 4 David Walser 2013-09-24 18:06:37 CEST 
Nice catch.  The gmane thread they linked indicates that CVE-2013-4363 has been allocated for the remaining issues, which will be fixed in 1.8.27 and 2.0.10.  There are also patches linked on the thread.

I'll assign back to Funda until the updated versions are available.

CC: (none) => qa-bugs
Assignee: qa-bugs => fundawang

Comment 5 David Walser 2013-10-04 16:19:46 CEST 
Fedora has issued an advisory for CVE-2013-4363 on September 26:
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/117998.html

from http://lwn.net/Vulnerabilities/569468/
Comment 6 David Walser 2013-10-04 18:59:49 CEST 
Upstream versions 1.8.27 and 2.0.10 to fix this are now available:
https://bugzilla.redhat.com/show_bug.cgi?id=1009720#c1
Comment 7 David Walser 2013-10-06 15:58:11 CEST 
*** Bug 11386 has been marked as a duplicate of this bug. ***
Comment 8 David Walser 2013-10-06 16:02:18 CEST 
Assigning back to QA now that it's been updated again.

Advisory:
========================

Updated ruby-RubyGems package fixes security vulnerability:

RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to a backtracking regular expression.  For specially
crafted RubyGems versions attackers can cause denial of service through CPU
consumption (CVE-2013-4287, CVE-2013-4363).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4363
http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html
http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115886.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4287
========================

Updated packages in core/updates_testing:
========================
ruby-RubyGems-1.8.27-1.mga3

from ruby-RubyGems-1.8.27-1.mga3.src.rpm

CC: qa-bugs => (none)
Assignee: fundawang => qa-bugs

Comment 9 claire robinson 2013-10-09 13:57:57 CEST 
Testing complete mga3 64

$ git clone http://github.com/qrush/hola
Cloning into 'hola'...
remote: Counting objects: 29, done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 29 (delta 5), reused 24 (delta 1)
Unpacking objects: 100% (29/29), done.
$ ls
hola/
$ cd hola
$ ls
bin/  hola.gemspec  lib/  Rakefile  test/

$ gem build hola.gemspec 
  Successfully built RubyGem
  Name: hola
  Version: 0.0.1
  File: hola-0.0.1.gem

$ ls
bin/  hola-0.0.1.gem  hola.gemspec  lib/  Rakefile  test/

$ gem install ./hola-0.0.1.gem 
Successfully installed hola-0.0.1
1 gem installed
Installing ri documentation for hola-0.0.1...
Installing RDoc documentation for hola-0.0.1...

$ irb
irb(main):001:0> require 'hola'
=> true
irb(main):002:0> quit()

 gem uninstall hola
Successfully uninstalled hola-0.0.1

Whiteboard: has_procedure => has_procedure mga3-64-ok

Comment 10 claire robinson 2013-10-09 14:18:41 CEST 
Testing complete mga3 32

Validating. Advisory uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 11 Thomas Backlund 2013-10-10 00:51:11 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0297.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED