Bug 29004

Summary: ruby new security issues CVE-2020-36327, CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066, CVE-2021-4181[679]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, mageia, pterjan, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA8-64-OK
Source RPM: ruby-2.7.2-34.mga9.src.rpm CVE:
Status comment:

Description David Walser 2021-05-29 00:45:11 CEST 
Ubuntu has issued an advisory on April 20:
https://ubuntu.com/security/notices/USN-4922-1

The issue is fixed upstream in 2.7.3.

Ubuntu has a patch for 2.5.x.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-29 00:45:23 CEST

Status comment: (none) => Fixed upstream in 2.7.3
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 David Walser 2021-05-29 22:28:34 CEST 
Fedora has issued an advisory for this on April 17:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VF3QUOV6OJPCL64ZDHTQRENRJQZPZO6S/
Comment 2 David Walser 2021-05-30 22:13:54 CEST 
openSUSE has issued an advisory for this on April 24:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CMW3G6JZK6A7ZRJZ7VOMELHWOQBYPIOY/
Comment 3 David Walser 2021-07-01 18:54:32 CEST 
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 4 David Walser 2021-07-23 21:57:12 CEST 
Ubuntu has issued an advisory on July 22:
https://ubuntu.com/security/notices/USN-5020-1

The issues are fixed upstream in 2.7.4:
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/

Summary: ruby new security issue CVE-2021-28965 => ruby new security issues CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066
Status comment: Fixed upstream in 2.7.3 => Fixed upstream in 2.7.4

Comment 5 David Walser 2021-07-30 00:04:37 CEST 
Fedora has issued an advisory for this today (July 29):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/

It adds CVE-2020-36327 in ruby-bundler, fixed in 2.2.18 (latest is 2.2.20).

Severity: major => critical
Summary: ruby new security issues CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066 => ruby new security issues CVE-2020-36327, CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066

Comment 6 David Walser 2021-11-25 00:58:25 CET 
Upstream has issued advisories today (November 24):
http://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
http://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/
http://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/

The issues are fixed upstream in 2.7.5:
http://www.ruby-lang.org/en/news/2021/11/24/ruby-2-7-5-released/

Summary: ruby new security issues CVE-2020-36327, CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066 => ruby new security issues CVE-2020-36327, CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066, CVE-2021-4181[679]
Status comment: Fixed upstream in 2.7.4 => Fixed upstream in 2.7.5

Comment 7 David Walser 2021-12-02 20:16:32 CET 
Update to 2.7.5 built by Pascal.

What about CVE-2020-36327?  I didn't see that in your commit message.  If the bundler_version in the SPEC is correct, I guess that still needs to be updated.

ruby-2.7.5-33.1.mga8
ruby-rdoc-6.2.1.1-33.1.mga8
libruby2.7-2.7.5-33.1.mga8
ruby-devel-2.7.5-33.1.mga8
ruby-bundler-2.1.4-33.1.mga8
ruby-RubyGems-3.1.2-33.1.mga8
ruby-openssl-2.1.3-33.1.mga8
ruby-test-unit-3.3.4-33.1.mga8
ruby-rake-13.0.1-33.1.mga8
ruby-irb-2.7.5-33.1.mga8
ruby-psych-3.1.0-33.1.mga8
ruby-bigdecimal-2.0.0-33.1.mga8
ruby-json-2.3.0-33.1.mga8
ruby-xmlrpc-0.3.0-33.1.mga8
ruby-net-telnet-0.2.0-33.1.mga8
ruby-io-console-0.5.6-33.1.mga8
ruby-power_assert-1.1.7-33.1.mga8
ruby-did_you_mean-1.4.0-33.1.mga8
ruby-doc-2.7.5-33.1.mga8

from ruby-2.7.5-33.1.mga8.src.rpm
Comment 8 Pascal Terjan 2021-12-02 20:22:01 CET 
Thank you, I had indeed missed CVE-2020-36327 had not been fixed, I'll look into it
Comment 9 Pascal Terjan 2021-12-16 18:19:27 CET 
For CVE-2020-36327 RH updated the bundled version to 2.2.24 (from 2.1.4) on RHEL as backporting the fix was too complicated and risked adding bugs. Debian didn't fix it for that reason.

Given that RH was also using 2.7.4 and issued the update in July and didn't have to fix it since I guess we can assume 2.2.24 works well enough with Ruby 2.7 and do the same, I'll update the package.
Comment 10 David Walser 2021-12-18 20:26:48 CET 
Pascal updated bundler to 2.2.24.  Package list is now:
ruby-2.7.5-33.2.mga8
libruby2.7-debuginfo-2.7.5-33.2.mga8
ruby-debuginfo-2.7.5-33.2.mga8
libruby2.7-2.7.5-33.2.mga8
ruby-rdoc-6.2.1.1-33.2.mga8
ruby-devel-2.7.5-33.2.mga8
ruby-bundler-2.2.24-33.2.mga8
ruby-RubyGems-3.1.2-33.2.mga8
ruby-openssl-debuginfo-2.1.3-33.2.mga8
ruby-test-unit-3.3.4-33.2.mga8
ruby-openssl-2.1.3-33.2.mga8
ruby-rake-13.0.1-33.2.mga8
ruby-bigdecimal-debuginfo-2.0.0-33.2.mga8
ruby-doc-2.7.5-33.2.mga8
ruby-json-debuginfo-2.3.0-33.2.mga8
ruby-psych-3.1.0-33.2.mga8
ruby-irb-2.7.5-33.2.mga8
ruby-bigdecimal-2.0.0-33.2.mga8
ruby-json-2.3.0-33.2.mga8
ruby-psych-debuginfo-3.1.0-33.2.mga8
ruby-xmlrpc-0.3.0-33.2.mga8
ruby-io-console-debuginfo-0.5.6-33.2.mga8
ruby-io-console-0.5.6-33.2.mga8
ruby-net-telnet-0.2.0-33.2.mga8
ruby-power_assert-1.1.7-33.2.mga8
ruby-did_you_mean-1.4.0-33.2.mga8

from ruby-2.7.5-33.2.mga8.src.rpm
Comment 11 David Walser 2021-12-18 20:27:03 CET 
Cauldron hasn't been updated or fixed yet.
Comment 12 Nicolas Lécureuil 2021-12-18 23:41:02 CET 
as pascal just told on IRC. He is working on updating cauldron to 3.0 but it needs to wait for 3.1.0.


can we clone this bugreport for mga9 and close this one when validated?

This will avoid keeping a stable release with CVE for a long time.

CC: (none) => mageia

Comment 13 David Walser 2021-12-18 23:44:57 CET 
Sure.
Nicolas Lécureuil 2021-12-19 00:19:45 CET

Blocks: (none) => 29783

Comment 14 Nicolas Lécureuil 2021-12-19 00:21:08 CET 
as pascal is working on updating ruby on mga9 ( bug 29783 ) , we can work on this one only for magia 8

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: pterjan => qa-bugs
CC: (none) => pterjan
Status comment: Fixed upstream in 2.7.5 => (none)
Blocks: 29783 => (none)

Comment 15 Len Lawrence 2021-12-19 13:47:04 CET 
mga8, x86_64
Not competent to investigate the issues listed so going for a straight install.
Removed debuginfo packages and updated the rest without problems.

Some simple tests later.

CC: (none) => tarazed25

Comment 16 Len Lawrence 2021-12-19 18:55:07 CET 
$ ruby --version
ruby 2.7.5p203 (2021-11-24 revision f69aeb8314) [x86_64-linux]

Some simple exercises in irb:
$ irb
irb(main):001:0> target = "/home\0/lcl/ruby"
=> "/home\u0000/lcl/ruby"
irb(main):002:0> files = Dir.entries( target )
Traceback (most recent call last):
        6: from /usr/bin/irb:23:in `<main>'
....
ArgumentError (path name contains null byte)
....
irb(main):006:0> Dir.entries( "." )
=> [".", "..", "rpcbomb.rb", "animate.rb", "#report.22844#", "circular.rb", "cve14033.rb", "example_1.rb", "report.19078", "test", "minitide.gif", "fiddle", "webrick.rb", "malicious.gem", "eventide.jpg", "annotate.rb", "huge-summary-0.0.1.g........

$ irb
irb(main):002:0> sum = (1..10).inject( &:+ )
=> 55
irb(main):003:0> exit
$ ruby -e "puts (1..10).inject( &:+ )"
55

$ gem list
*** LOCAL GEMS ***
astro_moon (0.2)
benchmark (default: 0.1.0)
bigdecimal (2.0.0)
bundler (2.2.24)
cgi (default: 0.1.0.1)
.....
timers (4.3.3)
tk (0.2.0)
tracer (default: 0.1.0)
uri (default: 0.10.0)
wahwah (1.1.1)
webrick (default: 1.6.1)
xmlrpc (0.3.0)
yaml (default: 0.1.0)

Some of the gems were bundled with ruby.

$ sudo gem install nokogiri
Fetching racc-1.6.0.gem
Building native extensions. This could take a while...
Successfully installed racc-1.6.0
Fetching nokogiri-1.12.5-x86_64-linux.gem
Successfully installed nokogiri-1.12.5-x86_64-linux
Parsing documentation for racc-1.6.0
Installing ri documentation for racc-1.6.0
Parsing documentation for nokogiri-1.12.5-x86_64-linux
Installing ri documentation for nokogiri-1.12.5-x86_64-linux
Done installing documentation for racc, nokogiri after 1 seconds
2 gems installed
$ gem owner nokogiri
Owners for gem: nokogiri
- tenderlove
- flavorjones

Ran home-made jukebox which uses gems like mplayer-ruby for sound and video, runs a thread for a countdown and uses a pipe to control mplayer.  No problems there or with any other local ruby scripts.

`urpmq --whatrequires lib64ruby2.7` returns 67 names.
$ cat rubyusers | grep -v ruby-
epic5
ice-ruby
kross-interpreters-ruby
lib64ruby2.7
libselinux-ruby
perl-ClearSilver
ruby
vim-enhanced
vim-X11
weechat-ruby

A recursive search returns 651 packages many of which are likely to be bundled gems.
Installed epic5 and ran it from the command line without any investigation.
$ epic5
EPIC Version 5 -- Lugubrious
EPIC Software Labs (2006)
Version (EPIC5-2.1.2), Commit Id (1908) -- Date (20200511)
Compiled by iurt@ec2x1.mageia.org on Wed Jun 17 2020 at 17:11:23 UTC
Process [1928441] connected to tty [/dev/pts/5]
Using terminal type [xterm-256color]

*** I can't find your mailbox.
Added a new CTCP named VERSION
Added a new CTCP named PING
Added a new CTCP named ECHO
[...]
Added a new CTCP named FINGER
Added a new CTCP named TIME
Added a new CTCP named UTC
*** Performing DNS lookup for [irc.efnet.net] (server 0)
*** DNS lookup for server 0 [irc.efnet.net] returned (18) addresses
*** Connecting to server refnum 0 (irc.efnet.net), using address 1
+(193.163.220.3:6667)
<pause>
*** INFO -- Could not connect to server [0] address [1] because of error:
+Connection timed out
*** This server doesn't have any addresses to connect to.
 05:19pm [1] <not registered yet>  EPIC5 -- Visit http://help.epicsol.org/ for h
> 

Leaving that.
Installed puppet, again without investigation but could not get the service to start, for lack of knowledge.  /etc/puppetlabs contains configuration files but I am not getting into all that.
A trace on epic5 did show something:
$ grep ruby epic5.trace
openat(AT_FDCWD, "/lib64/libruby.so.2.7", O_RDONLY|O_CLOEXEC) = 3
getcwd("/home/lcl/qa/ruby", 4096)       = 18

This shall have to do.  Generally OK.

Whiteboard: (none) => MGA8TOO MGA8-64-OK

Comment 17 Thomas Andrews 2021-12-20 18:43:34 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-23 19:35:29 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 18 Mageia Robot 2021-12-23 22:02:55 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0579.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED