Bug 14664

Summary: ruby-sprockets new security issue CVE-2014-7819
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: fundawang, herman.viaene, mageia, pterjan, sysadmin-bugs, tarazed25
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/623208/
Whiteboard: advisory MGA4-64-OK MGA4-32-OK
Source RPM: ruby-sprockets-2.12.1-4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-11-26 15:52:09 CET 
OpenSuSE has issued an advisory today (November 26):
http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html

The issue is fixed upstream in 2.10.2 and 2.12.2, among others.

Mageia 4 is also affected.

The Novell bug has more information and a patch for the 2.12 series:
https://bugzilla.suse.com/show_bug.cgi?id=903658

Reproducible: 

Steps to Reproduce:
David Walser 2014-11-26 15:52:24 CET

CC: (none) => fundawang
Whiteboard: (none) => MGA4TOO

David Walser 2014-11-26 18:24:13 CET

URL: (none) => http://lwn.net/Vulnerabilities/623208/

Comment 1 Pascal Terjan 2014-11-26 19:29:49 CET 
2.12.3 last month fixed another security issue:


2.12.3 (October 28, 2014)

Security: Fix directory traversal bug in development mode server.

2.12.2 (September 5, 2014)

Ensure internal asset lookups calls are still restricted to load paths within asset compiles. Though, you should not depend on internal asset resolves to be completely restricted for security reasons. Assets themselves should be considered full scripting environments with filesystem access.
Comment 2 Pascal Terjan 2014-11-26 21:23:25 CET 
2.12.3 submitted to cauldron, I'll look at updates
Comment 3 David Walser 2014-11-27 15:34:52 CET 
Just for reference, OpenSuSE has issued advsiories for more recent versions of sprockets today (November 27):
http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html
http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html
Comment 4 Sander Lepik 2015-01-24 14:01:11 CET 
(In reply to Pascal Terjan from comment #2)
> 2.12.3 submitted to cauldron, I'll look at updates

Ping...

CC: (none) => mageia

Comment 5 Sander Lepik 2015-01-31 14:29:23 CET 
Dropped from cauldron for now, resubmit if mga4 is fixed and there is maintainer who cares about it..

Hardware: i586 => All
Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 6 David Walser 2015-02-14 00:56:28 CET 
Patched package uploaded for Mageia 4 by Pascal.  Thanks Pascal!

Advisory:
========================

Updated ruby-sprockets packages fix security vulnerabilities:

Multiple directory traversal vulnerabilities in server.rb in Sprockets 2.12.x
before 2.12.3, allow remote attackers to determine the existence of files
outside the application root via a ../ (dot dot slash) sequence with double
slashes or URL encoding (CVE-2014-7819).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7819
http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html
========================

Updated packages in core/updates_testing:
========================
ruby-sprockets-2.10.0-4.1.mga4
ruby-sprockets-doc-2.10.0-4.1.mga4

from ruby-sprockets-2.10.0-4.1.mga4.src.rpm

CC: (none) => pterjan
Assignee: pterjan => qa-bugs

Comment 7 Herman Viaene 2015-02-17 13:37:53 CET 
MGA4-64 on HP Probook 6555b.
No installation issues.
On CLI:
urpmq --urpmq --whatrequires ruby-sprockets
ruby-sprockets
ruby-sprockets-doc
ruby-sprockets-rails
ruby-sprockets-rails.

So I haved no idea how to test this.

CC: (none) => herman.viaene

Comment 8 Pascal Terjan 2015-02-17 13:40:23 CET 
I unfortunately have no idea either.

They have unit tests that are not shipped in the relase...
Herman Viaene 2015-02-17 13:49:27 CET

Whiteboard: (none) => MGA4-64-OK

Comment 9 Herman Viaene 2015-02-17 13:55:42 CET 
MGA4-32 on Acer D620
No installation issues.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 10 claire robinson 2015-02-17 16:50:32 CET 
Len any ideas on this one?
Comment 11 claire robinson 2015-02-17 18:46:38 CET 
Advisory uploaded.

Whiteboard: MGA4-64-OK MGA4-32-OK => advisory MGA4-64-OK MGA4-32-OK

Comment 12 Len Lawrence 2015-02-17 20:30:32 CET 
to Claire comment 10

Not off-hand.  The problem is I have no time to spare for QA right now because of a deadline concerning the Scottish Court and appointments with solicitors over the business of probate. Documents to sort out and a final account to prepare.  Time consuming work for me.

However, I shall try to have a quick look this evening.  It is not familiar territory.

CC: (none) => tarazed25

Comment 13 Len Lawrence 2015-02-17 21:19:27 CET 
Rack-based asset packaging system that concatenates and serves JavaScript, CoffeeScript, CSS, LESS, Sass, and SCSS.

https://www.ruby-toolbox.com/projects/sprockets

http://en.wikipedia.org/wiki/Rack_(web_server_interface)

So, it might need Rack as a web server.  No ideas at this point.
Comment 14 claire robinson 2015-02-17 21:20:39 CET 
Alright Len, thanks for looking. I'll validate it later.
Comment 15 claire robinson 2015-02-17 22:01:53 CET 
Validating. Advisory already uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2015-02-19 15:43:43 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0074.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED