Bug 12094

Summary: ruby-actionmailer and ruby-activesupport new security issue CVE-2013-4389
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Pascal Terjan <pterjan>
Status: RESOLVED WONTFIX QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: fundawang, oe, pterjan, stormi-mageia
Version: 3   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/578023/
Whiteboard: feedback
Source RPM: ruby-actionmailer, ruby-activesupport CVE:
Status comment:

Description David Walser 2013-12-23 16:23:21 CET
OpenSuSE has issued advisories today (December 23):
http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html
http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-23 16:23:51 CET

Blocks: (none) => 11726
Whiteboard: (none) => MGA3TOO

David Walser 2013-12-23 22:22:58 CET

URL: (none) => http://lwn.net/Vulnerabilities/578023/

Comment 1 Oden Eriksson 2013-12-26 14:48:01 CET
fixed with ruby-actionmailer-3.2.13-1.1.mga3 + ruby-activesupport-3.2.13-1.1.mga3

CC: (none) => oe

Comment 2 David Walser 2013-12-30 02:30:56 CET
Updated to 4.0.2 in Cauldron by Pascal Terjan.  Not sure if that fixes this.

CC: (none) => pterjan

Comment 3 David Walser 2014-01-03 18:26:56 CET
4.0.x is not affected by this.  Thanks Oden!

Advisory:
========================

Updated ruby-actionmailer and ruby-activesupport packages fix security
vulnerability:

Multiple format string vulnerabilities in log_subscriber.rb files in the log
subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow
remote attackers to cause a denial of service via a crafted e-mail address that
is improperly handled during construction of a log message (CVE-2013-4389).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html
http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html
========================

Updated packages in core/updates_testing:
========================
ruby-actionmailer-3.2.13-1.1.mga3
ruby-actionmailer-doc-3.2.13-1.1.mga3
ruby-activesupport-3.2.13-1.1.mga3
ruby-activesupport-doc-3.2.13-1.1.mga3

from SRPMS:
ruby-actionmailer-3.2.13-1.1.mga3.src.rpm
ruby-activesupport-3.2.13-1.1.mga3.src.rpm

CC: (none) => fundawang
Version: Cauldron => 3
Blocks: 11726 => (none)
Assignee: fundawang => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 4 claire robinson 2014-01-06 12:32:59 CET
I'm not familiar with ruby or rails but following the guide here:
http://guides.rubyonrails.org/action_mailer_basics.html

It fails to generate the mailer with a raft of errors. I can't find much info on the initial error so not sure where to go from here. It doesn't look like rails is working to me, but could be soemthing to do with the environment or operator error.


# urpmi ruby-actionmailer ruby-bundler ruby-net-http-persistent ruby-RubyGems ruby-railties


$ rails new testapp
$ cd testapp
$ rails generate mailer UserMailer
/usr/share/ruby/gems/rubygems/custom_require.rb:36:in `require': cannot load such file -- rubygems/spec_fetcher (LoadError)
..etc


This should apparently show a list of things it can generate..

$ rails generate
/usr/share/ruby/gems/rubygems/custom_require.rb:36:in `require': cannot load such file -- rubygems/spec_fetcher (LoadError)
...etc

Also the example given in /usr/share/ruby/gems/gems/actionmailer-3.2.13/lib/rails/generators/mailer/USAGE

$ rails generate mailer Notifications signup forgot_password invoice

Same error.

Tried on a system upgraded from mga2 and one with a pure mga3 install.
Comment 5 Pascal Terjan 2014-01-07 12:13:41 CET
This error shows something being very broken in another package (railties, bundler or rubygems):

$ rails generate
/usr/share/ruby/gems/rubygems/custom_require.rb:36:in `require': cannot load such file -- rubygems/spec_fetcher (LoadError)

I may try to install a mageia3 chroot tonight to test if I have time.
Comment 6 Samuel Verschelde 2014-01-20 17:47:49 CET
Have you had time to test that like you wanted to Pascal?

CC: (none) => stormi

Comment 7 Samuel Verschelde 2014-01-20 17:51:49 CET
Tested using same steps as comment #4 and "rails new testapp" failed, so that's sooner than MrsB (maybe a missing dep?). That's an almost fresh install of Mageia 3 32bits.

[...]
Fetching gem metadata from https://rubygems.org/...........
Fetching gem metadata from https://rubygems.org/..
Installing rake (10.1.1) 
Using i18n (0.6.1) 
Installing multi_json (1.8.4) 
Using activesupport (3.2.13) 
Using builder (3.0.4) 
Using activemodel (3.2.13) 
Using erubis (2.7.0) 
Using journey (1.0.4) 
Using rack (1.4.5) 
Using rack-cache (1.2) 
Using rack-test (0.6.2) 
Installing hike (1.2.3) 
Installing tilt (1.4.1) 
Using sprockets (2.2.2) 
Using actionpack (3.2.13) 
Installing mime-types (1.25.1) 
Using polyglot (0.3.3) 
Installing treetop (1.4.15) 
Installing mail (2.5.4) 
Using actionmailer (3.2.13) 
Installing arel (3.0.3) 
Installing tzinfo (0.3.38) 
Installing activerecord (3.2.13) 
Installing activeresource (3.2.13) 
Using bundler (1.2.1) 
Installing coffee-script-source (1.6.3) 
Installing execjs (2.0.2) 
Installing coffee-script (2.2.0) 
Installing rack-ssl (1.3.3) 
Installing json (1.8.1) with native extensions 

Gem::Installer::ExtensionBuildError: ERROR: Failed to build gem native extension.

        /usr/bin/ruby extconf.rb 
mkmf.rb can't find header files for ruby at /usr/share/include/ruby.h


Gem files will remain installed in /home/samuel/.gem/ruby/1.9.1/gems/json-1.8.1 for inspection.
Results logged to /home/samuel/.gem/ruby/1.9.1/gems/json-1.8.1/ext/json/ext/generator/gem_make.out
An error occurred while installing json (1.8.1), and Bundler cannot continue.
Make sure that `gem install json -v '1.8.1'` succeeds before bundling.
Comment 8 Samuel Verschelde 2014-01-20 18:21:44 CET
Follow-up: I had to install ruby-devel and make, gcc (missing deps to one of the ruby-xxx packages?), so that it could build the json 1.8.1 gem.

But: why would it build the json gem? It doesn't feel right, for a package from the repository. Maybe we should have release mga3 with ruby-json-1.8.1? Just asking because I know nothing about ruby packaging.

Then it tries to build the sqlite3 1.3.8 gem (and installing manually ruby-sqlite3 1.3.6 from the repos doesn't fit). So had to install: libsqlite3-devel.

Now I've got my "testapp" created.

Then "$ rails generate mailer UserMailer" fails the same way as in comment #4.
Comment 9 Pascal Terjan 2014-01-21 07:29:31 CET
Yes it should not download or build anything, it seems no one had tested the package on mga3 and it was totally broken :(
Comment 10 Pascal Terjan 2014-01-21 07:34:25 CET
(btw, on cauldron it is also broken in different way)
Comment 11 claire robinson 2014-01-21 18:39:15 CET
Adding feedback marker for now.

Whiteboard: (none) => feedback

Comment 12 Pascal Terjan 2014-01-21 18:55:56 CET
I don't know rails much but I opened a but to myself to fix it in Cauldron, then I can work on fixing it for 3 but this probably cause more packages to be touched...
Comment 13 Pascal Terjan 2014-02-10 17:24:01 CET
Taking over the bug as the packages is useless currently anyway so no point in having QA consider it.

Assignee: qa-bugs => pterjan

Comment 14 David Walser 2014-08-20 23:26:54 CEST
Ruby on Rails has been dropped in Cauldron and we are unable to support it.

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX