Bug 11734

Summary: ruby new security issue CVE-2013-4164
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, fundawang, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/575040/
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Source RPM: ruby-1.9.3.p448-1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-11-22 14:39:49 CET 
Upstream has issued an advisory today (November 22):
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/

The issue is fixed upstream for 2.0.x and 1.9.x, which we can update for Cauldron and Mageia 3:
https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/
https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/

Ruby 1.8.x (Mageia 2) is also affected, but there is no fix available at this time, and due to the EOL, we will not be able to provide a fix for Mageia 2.

Reproducible: 

Steps to Reproduce:
David Walser 2013-11-22 14:39:58 CET

Whiteboard: (none) => MGA3TOO

David Walser 2013-11-22 16:40:49 CET

Blocks: (none) => 11726

Comment 1 Funda Wang 2013-11-24 16:51:48 CET 
I've already pushed the updated package into cauldron. Let this package for mga3 only.

Version: Cauldron => 3
Blocks: 11726 => (none)
Source RPM: ruby-2.0.0.p247-6.mga4.src.rpm => ruby
Whiteboard: MGA3TOO => (none)

Comment 2 David Walser 2013-11-24 16:55:44 CET 
OK, fixed with a patch in ruby-2.0.0.p247-7.mga4 in Cauldron.

Source RPM: ruby => ruby-1.9.3.p448-1.mga3.src.rpm

Comment 3 David Walser 2013-11-26 19:50:50 CET 
RedHat has issued an advisory for this on November 25:
https://rhn.redhat.com/errata/RHSA-2013-1764.html

URL: (none) => http://lwn.net/Vulnerabilities/575040/

Comment 4 David Walser 2013-12-26 18:09:45 CET 
Apparently Funda built the update for this for Mageia 3 and I never noticed.

Advisory:
========================

Updated ruby packages fix security vulnerability:

Charlie Somerville discovered that Ruby incorrectly handled floating point
number conversion. An attacker could possibly use this issue with an
application that converts text to floating point numbers to cause the
application to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2013-4164).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/
http://www.ubuntu.com/usn/usn-2035-1
========================

Updated packages in core/updates_testing:
========================
ruby-1.9.3.p484-1.mga3
libruby1.9-1.9.3.p484-1.mga3
ruby-doc-1.9.3.p484-1.mga3
ruby-devel-1.9.3.p484-1.mga3
ruby-tk-1.9.3.p484-1.mga3
ruby-irb-1.9.3.p484-1.mga3

from ruby-1.9.3.p484-1.mga3.src.rpm

CC: (none) => fundawang
Assignee: fundawang => qa-bugs
Severity: normal => critical

Dave Hodgins 2014-01-02 17:38:49 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 5 Dave Hodgins 2014-01-05 21:01:54 CET 
Just testing that ruby is working.

Testing complete on Mageia 3 i586 and x86_64 using the script from
https://bugs.mageia.org/show_bug.cgi?id=10637#c7

Someone from the sysadmin team please push 11734.adv to updates.

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2014-01-06 02:35:37 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0003.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED