Bug 14391

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

I see that Funda rebuilt ruby-rmagick in Cauldron.  Is that necessary?

Advisory:
========================

Updated ruby packages fix security vulnerability:

Due to unrestricted entity expansion, when reading text nodes from an XML
document, the REXML parser in Ruby can be coerced into allocating extremely
large string objects which can consume all of the memory on a machine,
causing a denial of service (CVE-2014-8080).

The Mageia 3 ruby package has been updated to 1.9.3-p550 and the Mageia 4
ruby package has been updated to 2.0.0-p594 to fix this issue and several
other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8080
https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/
https://www.ruby-lang.org/en/news/2014/10/27/ruby-1-9-3-p550-is-released/
https://www.ruby-lang.org/en/news/2014/10/27/ruby-2-0-0-p594-is-released/
========================

Updated packages in core/updates_testing:
========================
ruby-1.9.3.p550-1.mga3
libruby1.9-1.9.3.p550-1.mga3
ruby-doc-1.9.3.p550-1.mga3
ruby-devel-1.9.3.p550-1.mga3
ruby-tk-1.9.3.p550-1.mga3
ruby-irb-1.9.3.p550-1.mga3
ruby-2.0.0.p594-1.mga4
libruby2.0-2.0.0.p594-1.mga4
ruby-doc-2.0.0.p594-1.mga4
ruby-devel-2.0.0.p594-1.mga4
ruby-tk-2.0.0.p594-1.mga4
ruby-irb-2.0.0.p594-1.mga4

from SRPMS:
ruby-1.9.3.p550-1.mga3.src.rpm
ruby-2.0.0.p594-1.mga4.src.rpm

CC: (none) => fundawang, pterjan
Assignee: pterjan => qa-bugs

[root@vega ~]# urpmi ruby
(medium "Core Updates Testing (distrib5)")
  ruby                           2.0.0.p594   1.mga4        x86_64  
(medium "Core Updates Testing (distrib95)")
  ruby-tk                        2.0.0.p594   1.mga4        x86_64  
[root@vega ~]# urpmi ruby-devel
(medium "Core Updates Testing (distrib5)")
  lib64ruby2.0                   2.0.0.p594   1.mga4        x86_64  
  ruby-devel                     2.0.0.p594   1.mga4        x86_64  
[root@vega ~]# urpmi ruby-irb
Marking ruby-irb as manually installed, it won't be auto-orphaned
installing ruby-irb-2.0.0.p594-1.mga4.noarch.rpm from /var/cache/urpmi/rpms
[root@vega ~]# urpmi ruby-doc
installing ruby-doc-2.0.0.p594-1.mga4.noarch.rpm from /var/cache/urpmi/rpms

Tried a couple of home-grown applications with Tk interfaces; these worked just as before.  Need to think about PoC and REXML parser and to check the references.  First impressions are that everything else works fine.

A few simple tests:
Rubygems is always installed by default.  Tried installing a gem which had already been installed:
gem install astro_moon
Fetching: astro_moon-0.2.gem (100%)
Successfully installed astro_moon-0.2
Parsing documentation for astro_moon-0.2
Installing ri documentation for astro_moon-0.2
Done installing documentation for astro_moon after 0 seconds
1 gem installed
An application which uses it continues to work as expected.

Checked interactive scripting:
[lcl@vega ~]$ irb
irb(main):001:0> abc = %w( a b c d e f g h i j k l m n o p q r s t u v w x y z )
=> ["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z"]
irb(main):002:0> s = ""
=> ""
irb(main):003:0> abc.each { |zed| s += zed }
=> ["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z"]
irb(main):004:0> puts s
abcdefghijklmnopqrstuvwxyz
=> nil
irb(main):005:0> quit
Commandline documentation, summary for String class:
[lcl@vega ~]$ ri String
= String < Object

------------------------------------------------------------------------------
= Includes:
Comparable (from ruby core)

(from ruby core)
------------------------------------------------------------------------------
Rake extension methods for String.

A String object holds and manipulates an arbitrary sequence of bytes,
typically representing characters. String objects may be created using
String::new or as literals.

Because of aliasing issues, users of strings should be aware of the methods
that modify the contents of a String object.  Typically, methods with names
ending in ``!'' modify their receiver, while those without a ``!'' return a
new String.  However, there are exceptions, such as String#[]=.
------------------------------------------------------------------------------
= Class methods:

  new, try_convert

= Instance methods:

  %, *, +, <<, <=>, ==, ===, =~, [], []=, ascii_only?, b, block_scanf, bytes,
  bytesize, byteslice, capitalize, capitalize!, casecmp, center, chars, chomp,
  chomp!, chop, chop!, chr, clear, codepoints, concat, count, crypt, delete,
  delete!, downcase, downcase!, dump, each_byte, each_char, each_codepoint,
  each_line, empty?, encode, encode!, encoding, end_with?, eql?, ext,
  force_encoding, getbyte, gsub, gsub!, hash, hex, include?, index,
  initialize_copy, insert, inspect, intern, iseuc, isjis, issjis, isutf8,
  kconv, length, lines, ljust, lstrip, lstrip!, match, next, next!, oct, ord,
  partition, pathmap, pathmap_explode, pathmap_partial, pathmap_replace,
  prepend, replace, reverse, reverse!, rindex, rjust, rpartition, rstrip,
  rstrip!, scan, scanf, setbyte, shellescape, shellsplit, size, slice, slice!,
  split, squeeze, squeeze!, start_with?, strip, strip!, sub, sub!, succ,
  succ!, sum, swapcase, swapcase!, to_c, to_d, to_f, to_i, to_r, to_s, to_str,
  to_sym, toeuc, tojis, tolocale, tosjis, toutf16, toutf32, toutf8, tr, tr!,
  tr_s, tr_s!, unpack, upcase, upcase!, upto, valid_encoding?

(END)

CC: (none) => tarazed25

More details of the security issue here if you're interested:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8080

Severity: normal => major

Ubuntu has issued an advisory for this on November 4:
http://www.ubuntu.com/usn/usn-2397-1/

They also backported an upstream patch from ruby trunk (not sure if it was also in 2.1.x) to fix CVE-2014-4975.  Considering that it was fixed in trunk in July and upstream didn't bother to backport it for these newer 1.9.3 and 2.0.0 releases, and Ubuntu's CVE notes say the issue is "not likely to be exposed," I've just committed the patch in SVN for now.  For Mageia 3, it won't be included in the update unless I rebuild it now (let me know if anyone thinks I should).  For Mageia 4 it'll be included in the next update in the future.

URL: (none) => http://lwn.net/Vulnerabilities/619214/

Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10637#c7

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Tested on Mageia3-64 using procedure mentionned in comment 5

Before :
-------

Current packages, installed : 
- lib64ruby1.9-1.9.3.p484-1.mga3.x86_64
- lib64tcl8.5-8.5.13-1.mga3.x86_64
- lib64tk8.5-8.5.13-2.mga3.x86_64
- lib64yaml0_2-0.1.6-1.mga3.x86_64
- ruby-1.9.3.p484-1.mga3.x86_64
- ruby-irb-1.9.3.p484-1.mga3.noarch
- ruby-json-1.7.7-1.mga3.x86_64
- ruby-linecache19-0.5.13-5.1.mga3.x86_64
- ruby-rdoc-3.12.1-2.mga3.noarch
- ruby-RubyGems-1.8.27-1.mga3.noarch
- ruby-tk-1.9.3.p484-1.mga3.x86_64
- ruby-ruby-debug-base19-0.11.26-5.1.mga3.x86_64
- ruby-devel-1.9.3.p484-1.mga3.x86_64
- ruby-linecache19-0.5.13-5.1.mga3.x86_64
- tcl-8.5.13-1.mga3.x86_64
- tk-8.5.13-2.mga3.x86_64

Ran 
- ruby test
- irb + tk test
- irb + linecache test
- debug19 test

in this latter test for ruby-ruby-debug19, I had to make following changes :
$ ruby -rdebug rubytest.rb (instead of $ rdebug rubytest.rb)

and further on :
(rdb:1) c    (instead of : (rdb:1) continue)
All tests passed.


After :
-----

Testing packages :
- lib64ruby1.9-1.9.3.p550-1.mga3.x86_64
- ruby-1.9.3.p550-1.mga3.x86_64
- ruby-devel-1.9.3.p550-1.mga3.x86_64
- ruby-irb-1.9.3.p550-1.mga3.noarch
- ruby-tk-1.9.3.p550-1.mga3.x86_64

Re-ran the same tests, all OK.

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-64-OK

Marking it OK for mga4 as well.

Test in comment 5 tested fine on MGA4-32 - before and after the upgrade . Marking as such.

CC: (none) => shlomif
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK

(In reply to Shlomi Fish from comment #8)
> Test in comment 5 tested fine on MGA4-32 - before and after the upgrade .
> Marking as such.

Working fine on MGA3-32bit (i586). Marking as such.

Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK

Testing on mga4 32bit virtualbox.

Packages installed from Core 32bit Updates Testing:
ruby-2.0.0.p594-1.mga4
libruby2.0-2.0.0.p594-1.mga4
ruby-doc-2.0.0.p594-1.mga4
ruby-devel-2.0.0.p594-1.mga4
ruby-tk-2.0.0.p594-1.mga4
ruby-irb-2.0.0.p594-1.mga4

Core Release image support libraries for Tk:
tkimg-1.4-2.mga4.i586
There is an unresolved bug in tkimg associated with PNG images.

Note that MageiaUpdate does not select ruby-devel - install from the command line.
In mga4 rubygems is now included in the ruby package, hence no need for ruby-Rubygems.

Ran some general tests as before; no problems.
A demonstration script for JPEG image handling in ruby-tk has been attached together with a specimen image.

Created attachment 5591 [details]
Ruby-tk image display test

Use the supplied JPEG image files if you wish.

Created attachment 5592 [details]
Test image for rubyimage.rb

Created attachment 5593 [details]
Test image 2 for rubyimage.rb

Good testing on this one guys. Don't forget to validate updates when they're ready. I'll upload the advisory and validate this one now.

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0443.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED