Bug 18988

Summary: ruby-eventmachine new security issue fixed upstream in 1.0.7
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25, thomas
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/694784/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Source RPM: ruby-eventmachine-1.0.3-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-07-19 16:32:41 CEST 
Debian-LTS has issued an advisory on July 15:
http://lwn.net/Alerts/694766/

They backported patches from 1.0.7.  The Debian bugs have more information:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678512
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696015
Comment 1 David Walser 2016-07-19 16:33:46 CEST 
Looks like we only have this package still because of pcs/glusterfs.

CC: (none) => thomas

Comment 2 David Walser 2016-07-22 17:59:08 CEST 
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated ruby-eventmachine packages fix security vulnerability:

EventMachine could be crashed by opening a high number of parallel connections
(>= 1024) towards a server using the EventMachine engine. The crash happens due
to the file descriptors overwriting the stack.

References:
http://lwn.net/Alerts/694766/
========================

Updated packages in core/updates_testing:
========================
ruby-eventmachine-1.0.3-3.1.mga5
ruby-eventmachine-doc-1.0.3-3.1.mga5

from ruby-eventmachine-1.0.3-3.1.mga5.src.rpm

Assignee: pterjan => qa-bugs

Comment 3 Len Lawrence 2016-08-04 23:18:59 CEST 
Testing this on x86_64 using a ruby chat script found at http://eventmachine.rubyforge.org/file.GettingStarted.html

This uses the eventmachine with a chat server to echo messages when users login via telnet localhost 10000.  User input appears on the server terminal and on the separate client terminals.  Tried this before and after the update and it worked perfectly.  Limited the tests to two users.  Not going to attempt 1024+ connections for the PoC.

I would be glad of some direction on including external source code in the testing arsenal.  Is there a wiki entry about that anywhere?

CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK

Comment 4 Len Lawrence 2016-08-04 23:23:38 CEST 
Should have added that there are web application frameworks out there which rely on ruby eventmachine, such as Thin and Goliath.
Comment 5 Len Lawrence 2016-08-05 12:10:02 CEST 
Checked this over in a 32-bit vbox.
It worked fine before and after the update.  The eventmachine handled messages from host to vm, vm to vm and external machine to vm.  Messages echoed on all the consoles.

So, on the basis that the service continues to run properly after the update, this can be validated.
Len Lawrence 2016-08-05 12:10:34 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-08-05 15:05:08 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory

Comment 6 Mageia Robot 2016-08-06 12:51:45 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0276.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED