| Summary: | ruby-RubyGems new security issue CVE-2015-3900 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | fundawang, pterjan, sysadmin-bugs, tarazed25, wilcal.int |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/654153/ | ||
| Whiteboard: | MGA4TOO advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | ruby-RubyGems-2.1.11-5.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-06-26 16:39:06 CEST
David Walser
2015-06-26 16:39:18 CEST
CC:
(none) =>
fundawang Fedora has issued an advisory for this on August 1: https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html URL:
(none) =>
http://lwn.net/Vulnerabilities/654153/ ruby-RubyGems should be updated to 2.2.5, syncing with these Fedora commits: http://pkgs.fedoraproject.org/cgit/rubygems.git/commit/?h=f21&id=6aa4b2f223987a0ea3fe06da1633058174ccf871 http://pkgs.fedoraproject.org/cgit/rubygems.git/commit/?h=f21&id=e83e17c1c3ad23f615c2226e937207f39da1afb4 Severity:
normal =>
critical Pascal was able to locate patches for this. He also added a part of the test suite that runs at build time and verifies that the CVE is fixed. Thanks Pascal! Advisory: ======================== Updated ruby-RubyGems package fixes security vulnerability: RubyGems does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack" (CVE-2015-3900). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3900 https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html ======================== Updated packages in core/updates_testing: ======================== ruby-RubyGems-2.1.11-3.1.mga4 ruby-RubyGems-2.1.11-5.1.mga5 from SRPMS: ruby-RubyGems-2.1.11-3.1.mga4.src.rpm ruby-RubyGems-2.1.11-5.1.mga5.src.rpm CC:
(none) =>
pterjan Testing with x86_64 Mate 3.19.8-desktop-3.mga5. ruby-RubyGems-2.1.11-5 was already in use. Installed ruby-RubyGems-2.1.11-5.1.mga5 and tried installing a few random gems. e.g. [lcl@vega ~/test]$ sudo gem install mplay Fetching: helpema-0.1.0.gem (100%) Successfully installed helpema-0.1.0 Fetching: base_convert-2.0.0.gem (100%) Successfully installed base_convert-2.0.0 Fetching: mplay-2.4.0.gem (100%) Successfully installed mplay-2.4.0 Parsing documentation for base_convert-2.0.0 Installing ri documentation for base_convert-2.0.0 Parsing documentation for helpema-0.1.0 Installing ri documentation for helpema-0.1.0 Parsing documentation for mplay-2.4.0 Installing ri documentation for mplay-2.4.0 Done installing documentation for base_convert, helpema, mplay after 0 seconds 3 gems installed [lcl@vega ~/test]$ sudo gem list *** LOCAL GEMS *** astro_moon (0.2) base_convert (2.0.0) bindata (1.5.1) helpema (0.1.0) json (1.8.1) mp3info (0.8.5) mp4info2 (1.7.4) mplay (2.4.0) mplayer-ruby (0.2.0) mplayer.rb (0.0.2) open4 (1.3.4) parallel (1.6.1) rake (10.4.2) rdoc (4.0.1) ruby-mp3info (0.8.7) ruby-yui (0.0.7) rubyswig (0.0.1) Since it not obvious how to check the security issue is it sufficient just to ensure that the application runs OK? CC:
(none) =>
tarazed25 One of the links contained this command but it does not seem to be relevant to the test. [lcl@vega ~/test]$ dig _rubygems._tcp.rubygems.org SRV ; <<>> DiG 9.10.2-P3 <<>> _rubygems._tcp.rubygems.org SRV ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24395 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_rubygems._tcp.rubygems.org. IN SRV ;; ANSWER SECTION: _rubygems._tcp.rubygems.org. 600 IN SRV 0 1 80 api.rubygems.org. ;; Query time: 30 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Sat Sep 05 17:02:08 BST 2015 ;; MSG SIZE rcvd: 92 Testing in mga5 on i586 virtual box. [lcl@cursa ~]$ gem list *** LOCAL GEMS *** json (1.8.1) rdoc (4.0.1) Installed ruby-RubyGems-2.1.11-5.1.mga5.noarch. [lcl@cursa ~]$ sudo gem install mplayer-ruby Fetching: open4-1.3.4.gem (100%) Successfully installed open4-1.3.4 Fetching: mplayer-ruby-0.2.0.gem (100%) Successfully installed mplayer-ruby-0.2.0 Parsing documentation for mplayer-ruby-0.2.0 Installing ri documentation for mplayer-ruby-0.2.0 Parsing documentation for open4-1.3.4 Installing ri documentation for open4-1.3.4 Done installing documentation for mplayer-ruby, open4 after 0 seconds 2 gems installed [lcl@cursa ~]$ sudo gem install astro_moon Fetching: astro_moon-0.2.gem (100%) Successfully installed astro_moon-0.2 Parsing documentation for astro_moon-0.2 Installing ri documentation for astro_moon-0.2 Done installing documentation for astro_moon after 0 seconds 1 gem installed [lcl@cursa ~]$ gem list *** LOCAL GEMS *** astro_moon (0.2) json (1.8.1) mplayer-ruby (0.2.0) open4 (1.3.4) rdoc (4.0.1) Working fine for 32-bit as well. In VirtualBox, M4, KDE, 32-bit Package(s) under test: ruby-RubyGems default install of ruby-RubyGems [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-3.mga4.noarch is already installed Package works install package from updates_testing For some reason neither the MCC nor urpmi ( urpmi ruby-rack ) sees the ruby-RubyGems-2.1.11-3.1.mga4 package in the updates_testing repo. Even though it's there. CC:
(none) =>
wilcal.int correction: In VirtualBox, M4, KDE, 32-bit Package(s) under test: ruby-RubyGems default install of ruby-RubyGems [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-3.mga4.noarch is already installed Package works install package from updates_testing For some reason neither the MCC nor urpmi ( urpmi ruby-RubyGems ) sees the ruby-RubyGems-2.1.11-3.1.mga4 package in the updates_testing repo. Even though it's there. That is odd Bill - it showed up here. Testing on 32-bit vbox with kernel 3.14.43-desktop-1.mga4 RubyGems already installed. Installed ruby-RubyGems-2.1.11-3.1.mga4.noarch [lcl@alcor ~]$ sudo gem install mplayer-ruby Fetching: open4-1.3.4.gem (100%) Successfully installed open4-1.3.4 Fetching: mplayer-ruby-0.2.0.gem (100%) Successfully installed mplayer-ruby-0.2.0 Parsing documentation for mplayer-ruby-0.2.0 Installing ri documentation for mplayer-ruby-0.2.0 Parsing documentation for open4-1.3.4 Installing ri documentation for open4-1.3.4 Done installing documentation for mplayer-ruby, open4 after 0 seconds 2 gems installed [lcl@alcor ~]$ gem list *** LOCAL GEMS *** astro_moon (0.2) json (1.7.7) mplayer-ruby (0.2.0) open4 (1.3.4) rdoc (4.0.1) (In reply to Len Lawrence from comment #9) > That is odd Bill - it showed up here. Something funky with my local repo. Went to directly mirrors.kernel.org and that works fine. In VirtualBox, M4, KDE, 32-bit Package(s) under test: ruby-RubyGems default install of ruby-RubyGems [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-3.mga4.noarch is already installed ruby-RubyGems installs cleanly install ruby-RubyGems from updates_testing [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-3.1.mga4.noarch is already installed ruby-RubyGems updates cleanly Whiteboard:
MGA4TOO =>
MGA4TOO MGA4-32-OK In VirtualBox, M4, KDE, 64-bit Package(s) under test: ruby-RubyGems default install of ruby-RubyGems [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-3.mga4.noarch is already installed ruby-RubyGems installs cleanly install ruby-RubyGems from updates_testing [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-3.1.mga4.noarch is already installed ruby-RubyGems updates cleanly Whiteboard:
MGA4TOO MGA4-32-OK =>
MGA4TOO MGA4-32-OK MGA4-64-OK In VirtualBox, M5, KDE, 32-bit Package(s) under test: ruby-RubyGems default install of ruby-RubyGems [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-5.mga5.noarch is already installed ruby-RubyGems installs cleanly install ruby-RubyGems from updates_testing [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-5.1.mga5.noarch is already installed ruby-RubyGems updates cleanly Whiteboard:
MGA4TOO MGA4-32-OK MGA4-64-OK =>
MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK In VirtualBox, M5, KDE, 64-bit Package(s) under test: ruby-RubyGems default install of ruby-RubyGems [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-5.mga5.noarch is already installed ruby-RubyGems installs cleanly install ruby-RubyGems from updates_testing [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-5.1.mga5.noarch is already installed ruby-RubyGems updates cleanly Whiteboard:
MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK =>
MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK This bug updates cleanly. Testing complete for MGA4 & MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks Keywords:
(none) =>
validated_update Advisory uploaded. Whiteboard:
MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK =>
MGA4TOO advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0345.html Status:
NEW =>
RESOLVED |