Bug 22050

Updated in Cauldron by Pascal, currently at 2.10.0.

Version: Cauldron => 6

Reproducer:

ruby -rox -e 'Ox.parse_obj("<k><s></s></k>")'

Trying on a Mageia 6... the package is broken:

$ ruby -rox -e 'Ox.parse_obj("<k><s></s></k>")'
/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require': cannot load such file -- ox/ox (LoadError)
	from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require'
	from /usr/share/gems/gems/ox-2.3.0/lib/ox.rb:78:in `<top (required)>'
	from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:128:in `require'
	from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:128:in `rescue in require'
	from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:39:in `require'

After fixing problems with the package, I can reproduce:

 ruby -rox -e 'Ox.parse_obj("<k><s></s></k>")'
-e:1: [BUG] Segmentation fault at 0x00000000000008
ruby 2.2.10p489 (2018-03-28 revision 63023) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0003 p:---- s:0008 e:000007 CFUNC  :parse_obj
c:0002 p:0013 s:0004 E:001b50 EVAL   -e:1 [FINISH]
c:0001 p:0000 s:0002 E:000bd0 TOP    [FINISH]

-- Ruby level backtrace information ----------------------------------------
-e:1:in `<main>'
-e:1:in `parse_obj'

-- Machine register context ------------------------------------------------
 RIP: 0x00007f9629456178 RBP: 0x00007ffeafb24ff0 RSP: 0x00007ffeafb24910
 RAX: 0x00007ffeafb25008 RBX: 0x00007ffeafb24ff0 RCX: 0x00007ffeafb24ff0
 RDX: 0x00007ffeafb24ff0 RDI: 0x0000000000000000 RSI: 0x0000000000000000
  R8: 0x0000000000000000  R9: 0x0000000000000064 R10: 0x0000000000000830
 R11: 0x00000000006f0ec8 R12: 0x00007ffeafb25008 R13: 0x00000000009ee710
 R14: 0x00007ffeafb252a6 R15: 0x00007ffeafb252a4 EFL: 0x0000000000010246

-- C level backtrace information -------------------------------------------
/lib64/libruby.so.2.2 [0x7f962b04eec5]
/lib64/libruby.so.2.2 [0x7f962b04f0fc]
/lib64/libruby.so.2.2 [0x7f962af2baeb]
/lib64/libruby.so.2.2 [0x7f962afe25de]
/lib64/libc.so.6 [0x7f962ab3e8a0]
/usr/lib64/gems/ruby/ox-2.3.0/ox/ox.so [0x7f9629456178]
/usr/lib64/gems/ruby/ox-2.3.0/ox/ox.so [0x7f9629445d09]
/usr/lib64/gems/ruby/ox-2.3.0/ox/ox.so [0x7f96294467df]
/usr/lib64/gems/ruby/ox-2.3.0/ox/ox.so(ox_parse+0x17c) [0x7f9629446e4c]
/usr/lib64/gems/ruby/ox-2.3.0/ox/ox.so [0x7f962944d719]
/lib64/libruby.so.2.2 [0x7f962b0386eb]
/lib64/libruby.so.2.2 [0x7f962b04904e]
/lib64/libruby.so.2.2 [0x7f962b03da6a]
/lib64/libruby.so.2.2 [0x7f962b042c37]
/lib64/libruby.so.2.2(rb_iseq_eval_main+0x7f) [0x7f962b043e3f]
/lib64/libruby.so.2.2 [0x7f962af2ef5d]
/lib64/libruby.so.2.2(ruby_exec_node+0x1d) [0x7f962af30a5d]
/lib64/libruby.so.2.2(ruby_run_node+0x1e) [0x7f962af329ce]
ruby [0x4008ab]
/lib64/libc.so.6(__libc_start_main+0xf0) [0x7f962ab2b600]
ruby [0x4008d9]

-- Other runtime information -----------------------------------------------

* Loaded script: -e

* Loaded features:

    0 enumerator.so
    1 rational.so
    2 complex.so
    3 /usr/lib64/ruby/enc/encdb.so
    4 /usr/lib64/ruby/enc/trans/transdb.so
    5 /usr/share/ruby/unicode_normalize.rb
    6 /usr/lib64/ruby/rbconfig.rb
    7 thread.rb
    8 /usr/lib64/ruby/thread.so
    9 /usr/share/rubygems/rubygems/compatibility.rb
   10 /usr/share/rubygems/rubygems/defaults.rb
   11 /usr/share/rubygems/rubygems/deprecate.rb
   12 /usr/share/rubygems/rubygems/errors.rb
   13 /usr/share/rubygems/rubygems/version.rb
   14 /usr/share/rubygems/rubygems/requirement.rb
   15 /usr/share/rubygems/rubygems/platform.rb
   16 /usr/share/rubygems/rubygems/basic_specification.rb
   17 /usr/share/rubygems/rubygems/stub_specification.rb
   18 /usr/share/rubygems/rubygems/util/stringio.rb
   19 /usr/share/rubygems/rubygems/specification.rb
   20 /usr/share/rubygems/rubygems/exceptions.rb
   21 /usr/share/rubygems/rubygems/defaults/operating_system.rb
   22 /usr/share/rubygems/rubygems/core_ext/kernel_gem.rb
   23 /usr/share/ruby/monitor.rb
   24 /usr/share/rubygems/rubygems/core_ext/kernel_require.rb
   25 /usr/share/rubygems/rubygems.rb
   26 /usr/share/rubygems/rubygems/path_support.rb
   27 /usr/share/rubygems/rubygems/dependency.rb
   28 /usr/share/gems/gems/ox-2.3.0/lib/ox/version.rb
   29 /usr/share/gems/gems/ox-2.3.0/lib/ox/error.rb
   30 /usr/share/gems/gems/ox-2.3.0/lib/ox/hasattrs.rb
   31 /usr/share/gems/gems/ox-2.3.0/lib/ox/node.rb
   32 /usr/share/gems/gems/ox-2.3.0/lib/ox/comment.rb
   33 /usr/share/gems/gems/ox-2.3.0/lib/ox/raw.rb
   34 /usr/share/gems/gems/ox-2.3.0/lib/ox/instruct.rb
   35 /usr/share/gems/gems/ox-2.3.0/lib/ox/cdata.rb
   36 /usr/share/gems/gems/ox-2.3.0/lib/ox/doctype.rb
   37 /usr/share/gems/gems/ox-2.3.0/lib/ox/element.rb
   38 /usr/share/gems/gems/ox-2.3.0/lib/ox/document.rb
   39 /usr/share/gems/gems/ox-2.3.0/lib/ox/bag.rb
   40 /usr/share/gems/gems/ox-2.3.0/lib/ox/sax.rb
   41 /usr/lib64/gems/ruby/bigdecimal-1.2.7/bigdecimal.so
   42 /usr/lib64/ruby/date_core.so
   43 /usr/share/ruby/date.rb
   44 /usr/share/ruby/time.rb
   45 /usr/lib64/ruby/stringio.so
   46 /usr/lib64/gems/ruby/ox-2.3.0/ox/ox.so
   47 /usr/share/gems/gems/ox-2.3.0/lib/ox.rb

[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html

Aborted (core dumped)

Given that the package was totally broken, it is safe to update it to the new version

$ ruby -rox -e 'Ox.parse_obj("<k><s></s></k>")'
-e:1:in `parse_obj': Corrupt parse stack, container is wrong type at line 1, column 11 [obj_load.c:780] (Ox::ParseError)
	from -e:1:in `<main>'

ruby-ox-2.8.2-1.mga6 submitted to 6/core/updates_testing

I guess it should not be a security update as the package was not vulnerable given that the module could not be loaded.

(In reply to Pascal Terjan from comment #4)
> I guess it should not be a security update as the package was not vulnerable
> given that the module could not be loaded.

I supposed that depends on what "fixing problems with the package" entails.  I don't suppose it really matters, as probably nobody is using it.

Advisory:
========================

Updated ruby-ox packages fix security vulnerability:

In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation fault
when a crafted input is supplied to parse_obj (CVE-2017-15928).

Also, the package was broken and has been fixed to function properly.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15928
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OK6EYA4PVGIWEVEFBF2JSYUCEO7HG7FS/
========================

Updated packages in core/updates_testing:
========================
ruby-ox-2.8.2-1.mga6
ruby-ox-doc-2.8.2-1.mga6

from ruby-ox-2.8.2-1.mga6.src.rpm

Assignee: pterjan => qa-bugs
CC: (none) => pterjan

mga6, x86_64

After installing ruby-bigdecimal
$ ruby -rox -e 'Ox.parse_obj("<k><s></s></k>")'
/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require': cannot load such file -- ox/ox (LoadError)
	from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require'
	from /usr/share/gems/gems/ox-2.3.0/lib/ox.rb:78:in `<top (required)>'
	from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:128:in `require'
	from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:128:in `rescue in require'
	from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:39:in `require'

After updating the two files:

$ ruby -rox -e 'Ox.parse_obj("<k><s></s></k>")'
-e:1:in `parse_obj': Corrupt parse stack, container is wrong type at line 1, column 11 [obj_load.c:780] (Ox::ParseError)
	from -e:1:in `<main>'

Examples of use at https://www.rubydoc.info/gems/ox/2.4.2/Ox

$ cat generic.rb
require 'ox'

doc = Ox::Document.new(:version => '1.0')

top = Ox::Element.new('top')
top[:name] = 'sample'
doc << top

mid = Ox::Element.new('middle')
mid[:name] = 'second'
top << mid

bot = Ox::Element.new('bottom')
bot[:name] = 'third'
mid << bot

xml = Ox.dump(doc)
puts xml
doc2 = Ox.parse(xml)
puts "Same? #{doc == doc2}"


$ ruby generic.rb
<top name="sample">
  <middle name="second">
    <bottom name="third"/>
  </middle>
</top>
Same? false

-----------------------------------------------------------

$ cat sample.rb
require 'ox'

class Sample
  attr_accessor :a, :b, :c

  def initialize(a, b, c)
    @a = a
    @b = b
    @c = c
  end
end

# Create Object
obj = Sample.new(1, "bee", ['x', :y, 7.0])
# Now dump the Object to an XML String.
xml = Ox.dump(obj)
puts xml
# Convert the object back into a Sample Object.
obj2 = Ox.parse_obj(xml)

$ ruby sample.rb
<o c="Sample">
  <i a="@a">1</i>
  <s a="@b">bee</s>
  <a a="@c">
    <s>x</s>
    <m>y</m>
    <f>7</f>
  </a>
</o>


Looks like it is working.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Note that the "packaging faults" must have affected the before test because it did not segfault.  ruby-bigdecimal had to be installed for a start.  Could not find enumerable.so but most of the features mentioned in comment 2 seemed to be there.

I guess the advisory needs to be pushed.  Validating this.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0123.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED