Bug 30278

Summary: ruby new security issues CVE-2022-2873[89]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ruby-3.1.0-40.mga9.src.rpm CVE:
Status comment:

David Walser 2022-04-12 22:48:07 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.7.6 and 3.1.2

Comment 1 Pascal Terjan 2022-04-14 13:35:29 CEST 
Ruby 3.1.2 building for Cauldron, working on 2.7.6 for 8.
Comment 2 Pascal Terjan 2022-04-14 15:12:17 CEST 
Submitted ruby-2.7.6-33.4.mga8
Comment 3 Pascal Terjan 2022-04-14 16:01:36 CEST 
Suggested advisory:
========================

Updated ruby packages fix a security vulnerability

A buffer overrun was found in String-to-Float conversion (CVE-2022-28739).


References:
http://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/
========================

Updated packages in core/updates_testing:
========================

lib{,64}ruby2.7-2.7.6-33.4.mga8
ruby-2.7.6-33.4.mga8
ruby-bigdecimal-2.0.0-33.4.mga8
ruby-bundler-2.2.24-33.4.mga8
ruby-devel-2.7.6-33.4.mga8
ruby-did_you_mean-1.4.0-33.4.mga8
ruby-doc-2.7.6-33.4.mga8
ruby-io-console-0.5.6-33.4.mga8
ruby-irb-2.7.6-33.4.mga8
ruby-json-2.3.0-33.4.mga8
ruby-net-telnet-0.2.0-33.4.mga8
ruby-openssl-2.1.3-33.4.mga8
ruby-power_assert-1.1.7-33.4.mga8
ruby-psych-3.1.0-33.4.mga8
ruby-rake-13.0.1-33.4.mga8
ruby-rdoc-6.2.1.1-33.4.mga8
ruby-RubyGems-3.1.2-33.4.mga8
ruby-test-unit-3.3.4-33.4.mga8
ruby-xmlrpc-0.3.0-33.4.mga8


Source RPMs: 
ruby-2.7.6-33.4.mga8.src.rpm
Pascal Terjan 2022-04-14 16:02:28 CEST

Assignee: pterjan => qa-bugs

Thomas Backlund 2022-04-14 19:14:22 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 4 Len Lawrence 2022-04-14 20:38:56 CEST 
mga8, x64

Using ruby every day, main scripting language.
Updated the listed packages.

Used irb for basic command-line tests as in earlier bugs.  No regressions noted there.

$ ruby -e "puts (11..17).inject( &:+ )"
98

Ran several local ruby scripts with Tk graphics.  No problems.

$ gem list
*** LOCAL GEMS ***
astro_moon (0.2)
benchmark (default: 0.1.0)
bigdecimal (2.0.0)
bundler (2.2.24)
cgi (default: 0.1.0.1)
.........

$ sudo gem uninstall vagrant_cloud
ERROR:  While executing gem ... (Gem::InstallError)
    vagrant_cloud is not installed in GEM_HOME, try:
	gem uninstall -i /usr/share/gems vagrant_cloud
$ sudo gem uninstall -i /usr/share/gems vagrant_cloud
Successfully uninstalled vagrant_cloud-3.0.2
$ sudo gem install nokogiri
Fetching racc-1.6.0.gem
Building native extensions. This could take a while...
Successfully installed racc-1.6.0
Fetching nokogiri-1.13.4-x86_64-linux.gem
Successfully installed nokogiri-1.13.4-x86_64-linux
Parsing documentation for racc-1.6.0
Installing ri documentation for racc-1.6.0
Parsing documentation for nokogiri-1.13.4-x86_64-linux
Installing ri documentation for nokogiri-1.13.4-x86_64-linux
Done installing documentation for racc, nokogiri after 1 seconds
2 gems installed

facter produces a system inventory.
$ facter
architecture => x86_64
blockdevice_nvme0n1_model => Samsung SSD 970 EVO 1TB
blockdevice_nvme0n1_size => 1000204886016
blockdevice_sda_model => Samsung SSD 860
[...]
timezone => BST
uniqueid => a8c06401
uptime => 15 days
uptime_days => 15
uptime_hours => 361
uptime_seconds => 1302505
virtual => physical

There are problems with puppet, currently in updates testing.
Looks like ruby can be used.

CC: (none) => tarazed25

Len Lawrence 2022-04-14 20:39:49 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-04-14 21:34:20 CEST 
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

David Walser 2022-04-14 23:41:37 CEST

Status comment: Fixed upstream in 2.7.6 and 3.1.2 => (none)

Dave Hodgins 2022-04-15 22:28:03 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-04-15 23:36:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0143.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED