| Summary: | ruby new security issues CVE-2015-9096, CVE-2016-2337, CVE-2016-2339 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, marja11, pterjan, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA6-64-OK MGA5-64-OK advisory | ||
| Source RPM: | ruby-2.2.5-15.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | File triggering the bug | ||
|
Description
David Walser
2017-04-04 12:00:43 CEST
David Walser
2017-04-04 12:00:52 CEST
Whiteboard:
(none) =>
MGA5TOO Assigning to the registered maintainer. CC:
(none) =>
marja11 Ping Pascal. Any chance you can patch this one?
David Walser
2017-07-07 04:24:10 CEST
Whiteboard:
MGA5TOO =>
MGA6TOO, MGA5TOO
Pascal Terjan
2017-07-08 18:51:56 CEST
Whiteboard:
MGA6TOO, MGA5TOO =>
MGA5TOO Fixed package available in cauldron and 5/update_testing Created attachment 9467 [details]
File triggering the bug
(In reply to Pascal Terjan from comment #3) > Fixed package available in cauldron and 5/update_testing Nope, the Cauldron update failed to build: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20170707180749.akien.duvel.45207/log/ruby-2.2.7-1.mga6/build.0.20170707180808.log We'll have to ship it as the first update for Mageia 6. Whiteboard:
MGA5TOO =>
MGA6TOO, MGA5TOO Hmm ruby-2.0.0.p648-1.3.mga5 is indeed available in 5/updates_testing but it seems the build in cauldron actually failed so it may end up needing an update too :( Whiteboard:
MGA6TOO, MGA5TOO =>
MGA5TOO
Pascal Terjan
2017-07-08 18:55:29 CEST
Whiteboard:
MGA5TOO =>
MGA5TOO, MGA6TOO Packages list for Mageia 5 update: ruby-2.0.0.p648-1.3.mga5 libruby2.0-2.0.0.p648-1.3.mga5 ruby-doc-2.0.0.p648-1.3.mga5 ruby-devel-2.0.0.p648-1.3.mga5 ruby-tk-2.0.0.p648-1.3.mga5 ruby-irb-2.0.0.p648-1.3.mga5 from ruby-2.0.0.p648-1.3.mga5.src.rpm This does not appear in madb but testing it anyway. x86_64 Mate real hardware Still trying to figure out how this works but here is what happens before the update. $ ruby fiddle_poc.rb Start args array size : 1 increase size of array New args array size is : 11 *** Error in `ruby': free(): invalid next size (fast): 0x0000000001afe490 *** ======= Backtrace: ========= /usr/lib64/libc.so.6(+0x7238e)[0x7fa61441838e] ..................... Abort Updated ruby packages from core updates testing. ran the PoC test again. $ ruby fiddle_poc.rb Start args array size : 1 fiddle_poc.rb:16:in `initialize': can't convert nil into Integer (TypeError) from fiddle_poc.rb:16:in `new' from fiddle_poc.rb:16:in `<main>' That looks better; no abort at least. ruby still working OK. Ran several of my home-grown scripts, some very complex and all using ruby-tk - no regressions. Started an irb session, tinkered with some simple commands and ran a couple of local scripts as shell commands. All OK. Good for x86_64. CC:
(none) =>
tarazed25 (In reply to Len Lawrence from comment #8) > This does not appear in madb but testing it anyway. Not assigned to QA yet because we have to wait until Mageia 6 branches to build its update for this, but feel free to test the Mageia 5 update in the meantime. Ubuntu has issued an advisory for this on July 25: https://usn.ubuntu.com/usn/usn-3365-1/ It actually fixes several CVEs, including two others I don't think we've seen before: CVE-2015-9096 CVE-2016-2337 So we should include fixes for those as well. Summary:
ruby new security issue CVE-2016-2339 =>
ruby new security issues CVE-2015-9096, CVE-2016-2337, CVE-2016-2339 Uploaded ruby-2.0.0.p648-1.4.mga5 and ruby-2.2.7-1.mga6 Advisory: ======================== Updated ruby packages fix security vulnerabilities: It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequences. A remote attacker could possibly use this issue to inject SMTP commands. (CVE-2015-9096) Marcin Noga discovered that Ruby incorrectly handled certain arguments in a TclTkIp class method. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2337) It was discovered that Ruby Fiddle::Function.new incorrectly handled certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2339) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2339 https://usn.ubuntu.com/usn/usn-3365-1/ ======================== Updated packages in core/updates_testing: ======================== ruby-2.0.0.p648-1.4.mga5 libruby2.0-2.0.0.p648-1.4.mga5 ruby-doc-2.0.0.p648-1.4.mga5 ruby-devel-2.0.0.p648-1.4.mga5 ruby-tk-2.0.0.p648-1.4.mga5 ruby-irb-2.0.0.p648-1.4.mga5 ruby-2.2.7-1.mga6 libruby2.2-2.2.7-1.mga6 ruby-doc-2.2.7-1.mga6 ruby-devel-2.2.7-1.mga6 ruby-tk-2.2.7-1.mga6 ruby-power_assert-0.2.2-1.mga6 ruby-irb-2.2.7-1.mga6 ruby-io-console-0.4.3-1.mga6 ruby-test-unit-3.0.8-1.mga6 from SRPMS: ruby-2.0.0.p648-1.4.mga5.src.rpm ruby-2.2.7-1.mga6.src.rpm Version:
Cauldron =>
6 Testing on mga6, x86_64 PoCs were found for two of the CVEs: CVE-2016-2337 ------------------------------------------------------------------------- require 'tk' t = TclTkIp.new() t._cancel_eval(0x11223344) ------------------------------------------------------------------------- CVE-2016-2339 Ruby Fiddle::Function.new Heap Overflow Vulnerability Attached fiddle_poc.rb which we have seen before. ------------------------------------------------------------------------- CVE-2015-9096 Could not find a way to test SMTP command injection but could see that the patch to /usr/share/ruby/net/smtp.rb had been applied by the update. *** Before updates *** CVE-2016-2337 $ irb irb(main):001:0>require 'tk' => true irb(main):002:0> t = TclTkIp.new() => #<TclTkIp:0x000000014f3700 @force_default_encoding=[false], @encoding=[nil]> irb(main):003:0> t._cancel_eval(0x11223344) < stack dump > [NOTE] You may have encountered a bug in the Ruby interpreter or extension libraries. Bug reports are welcome. For details: http://www.ruby-lang.org/bugreport.html Aborted (core dumped) $ CVE-2016-2339 $ ruby fiddle_poc.rb Start args array size : 1 increase size of array New args array size is : 11 *** Error in `ruby': free(): invalid next size (fast): 0x00000000019bf6d0 *** < stack dump > Aborted (core dumped) ------------------------------------------------------------------------------ *** After updates *** CVE-2016-2337 $ irb irb(main):001:0> require 'tk' => true irb(main):002:0> t = TclTkIp.new() => #<TclTkIp:0x00000000e4d6d0 @force_default_encoding=[false], @encoding=[nil]> irb(main):003:0> t._cancel_eval(0x11223344) TypeError: no implicit conversion of Fixnum into String from (irb):3:in `_cancel_eval' from (irb):3 from /bin/irb:11:in `<main>' irb(main):004:0> quit $ CVE-2016-2339 $ ruby fiddle_poc.rb Start args array size : 1 fiddle_poc.rb:16:in `initialize': can't convert nil into Integer (TypeError) from fiddle_poc.rb:16:in `new' from fiddle_poc.rb:16:in `<main>' $ No more crash dumps. irb has already been exercized in the PoC testing. $ sudo gem install nokogiri Fetching: mini_portile2-2.2.0.gem (100%) Successfully installed mini_portile2-2.2.0 Fetching: nokogiri-1.8.0.gem (100%) Building native extensions. This could take a while... Successfully installed nokogiri-1.8.0 Parsing documentation for mini_portile2-2.2.0 Installing ri documentation for mini_portile2-2.2.0 Parsing documentation for nokogiri-1.8.0 Installing ri documentation for nokogiri-1.8.0 Done installing documentation for mini_portile2, nokogiri after 12 seconds 2 gems installed $ Ran several homegrown ruby scripts without any problems. These make extensive use of ruby-tk and various gems like mplayer-ruby and interact with the bash shell. One downloads and parses METAR data and displays it.
Len Lawrence
2017-08-20 09:39:51 CEST
Whiteboard:
MGA5TOO =>
MGA5TOO MGA6-64-OK mga5 x86_64 Tried the PoC for CVE-2016-2337: $ irb irb(main):001:0> require 'tk' => true irb(main):002:0> t = TclTkIp.new() => #<TclTkIp:0x00000001904da8 @force_default_encoding=[false], @encoding=[nil]> irb(main):003:0> t._cancel_eval(0x11223344) NotImplementedError: cancel_eval is supported Tcl/Tk8.6 or later. So that is a no-no. In mga5 we have Tk8.5. $ wish % set tk_version 8.5 % $ rpm -qa | grep tk | egrep -v 'gtk|Gtk|key|atk|rtk' ruby-tk-2.0.0.p648-1.1.mga5 lib64gmtk1-1.0.9-3.mga5 tk-8.5.15-3.mga5 lib64tk8.5-8.5.15-3.mga5 gmtk-i18n-1.0.9-3.mga5 tkimg-1.4-5.mga5 $ ruby fiddle_poc.rb Start args array size : 1 increase size of array New args array size is : 11 *** Error in `ruby': free(): invalid next size (fast): 0x00000000014ba020 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x7238e)[0x7f5c390fc38e] < stack dump > Aborted After the updates: PoC for CVE-2016-2339: $ ruby fiddle_poc.rb Start args array size : 1 fiddle_poc.rb:16:in `initialize': can't convert nil into Integer (TypeError) from fiddle_poc.rb:16:in `new' from fiddle_poc.rb:16:in `<main>' $ Ran a few tests to check irb, installing gems, ruby-tk and various local ruby scripts. Everything worked fine.
Len Lawrence
2017-08-20 10:22:05 CEST
Whiteboard:
MGA5TOO MGA6-64-OK =>
MGA5TOO MGA6-64-OK MGA5-64-OK Advisory freom Comment 12. Validating; thanks Len for both release tests. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0290.html Status:
NEW =>
RESOLVED |