Bug 31187

Summary: ruby new security issue CVE-2021-33621
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, pterjan, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ruby-3.1.2-42.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-11-25 17:02:49 CET 
Ruby has issued an advisory on November 22:
http://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/

The issue is fixed upstream in 2.7.7 and 3.1.3:
http://www.ruby-lang.org/en/news/2022/11/24/ruby-2-7-7-released/
http://www.ruby-lang.org/en/news/2022/11/24/ruby-3-1-3-released/

Mageia 8 is also affected.
David Walser 2022-11-25 17:03:04 CET

Status comment: (none) => Fixed upstream in 2.7.7 and 3.1.3
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-12-08 15:32:23 CET 
Fedora has issued an advisory for this today (December 8):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/
Comment 2 Pascal Terjan 2022-12-08 16:44:51 CET 
I prepared Ruby 3.1.3 last week and have been using it but forgot to commit/submit and had missed it was a security update, I'll try to do that tonight and prepare the update for Mageia 8.
Comment 3 David Walser 2022-12-10 17:01:12 CET 
Updated packages uploaded for Mageia 8 and Cauldron by Pascal.

ruby-2.7.7-33.6.mga8
libruby2.7-2.7.7-33.6.mga8
ruby-rdoc-6.2.1.1-33.6.mga8
ruby-devel-2.7.7-33.6.mga8
ruby-bundler-2.2.24-33.6.mga8
ruby-RubyGems-3.1.2-33.6.mga8
ruby-test-unit-3.3.4-33.6.mga8
ruby-openssl-2.1.4-33.6.mga8
ruby-rake-13.0.1-33.6.mga8
ruby-irb-2.7.7-33.6.mga8
ruby-psych-3.1.0-33.6.mga8
ruby-bigdecimal-2.0.0-33.6.mga8
ruby-json-2.3.0-33.6.mga8
ruby-xmlrpc-0.3.0-33.6.mga8
ruby-net-telnet-0.2.0-33.6.mga8
ruby-io-console-0.5.6-33.6.mga8
ruby-power_assert-1.1.7-33.6.mga8
ruby-did_you_mean-1.4.0-33.6.mga8
ruby-doc-2.7.7-33.6.mga8

from ruby-2.7.7-33.6.mga8.src.rpm

Assignee: pterjan => qa-bugs
Status comment: Fixed upstream in 2.7.7 and 3.1.3 => (none)
CC: (none) => pterjan
Whiteboard: MGA8TOO => (none)

Thomas Backlund 2022-12-10 20:46:45 CET

Version: Cauldron => 8

Comment 4 Len Lawrence 2022-12-11 11:34:59 CET 
mga8, x64

All packages installed cleanly.
I use ruby all the time at a basic level.  All my gui scripts are still working.

$ gem list
*** LOCAL GEMS ***
activemodel (4.2.11.3)
activeresource (4.0.0)
activesupport (4.2.11.3)
ast (2.4.2)
astro_moon (0.2)
[...]
xmlrpc (0.3.0)
yaml (default: 0.1.0)
zlib (default: 1.1.0)

$ sudo gem uninstall -i /usr/share/gems nokogiri

You have requested to uninstall the gem:
	nokogiri-1.11.7

mechanize-2.7.6 depends on nokogiri (~> 1.6)
mime-types-data-3.2019.1009 depends on nokogiri (~> 1.6, development)
webrobots-0.1.2 depends on nokogiri (>= 1.4.7, ~> 1.4, development)
If you remove this gem, these dependencies will not be met.
Continue with Uninstall? [yN]  y
Remove executables:
	nokogiri

in addition to the gem? [Yn]  n
Executables and scripts will remain installed.
Successfully uninstalled nokogiri-1.11.7
$ sudo gem uninstall -i /usr/share/gems nokogiri
Gem 'nokogiri' is not installed
lcl@canopus:ruby $ sudo gem install nokogiri
Fetching racc-1.6.1.gem
Building native extensions. This could take a while...
Successfully installed racc-1.6.1
Fetching nokogiri-1.13.10-x86_64-linux.gem
Successfully installed nokogiri-1.13.10-x86_64-linux
Parsing documentation for racc-1.6.1
Installing ri documentation for racc-1.6.1
Parsing documentation for nokogiri-1.13.10-x86_64-linux
Installing ri documentation for nokogiri-1.13.10-x86_64-linux
Done installing documentation for racc, nokogiri after 1 seconds
2 gems installed
$ sudo gem install dead_end
Fetching dead_end-4.0.0.gem
Successfully installed dead_end-4.0.0
Parsing documentation for dead_end-4.0.0
Installing ri documentation for dead_end-4.0.0
Done installing documentation for dead_end after 0 seconds
1 gem installed

Tried out the REPL:
$ irb
irb(main):001:0> fruit = %(apples pears oranges lemons).upcase
=> "APPLES PEARS ORANGES LEMONS"
irb(main):002:0> a = [7, 1, -11, 3]
=> [7, 1, -11, 3]
irb(main):003:0> b = [3.1]*5
=> [3.1, 3.1, 3.1, 3.1, 3.1]
irb(main):004:0> c = [a, b, Math.cos(0.0)]
=> [[7, 1, -11, 3], [3.1, 3.1, 3.1, 3.1, 3.1], 1.0]
irb(main):005:0> c.flatten.inject(:+)
=> 16.5
irb(main):006:0> exit

Oneliners:
$ ruby -e "puts (1..10).inject( &:+ )"
55

Create file containing names of all fonts on the system.
$ ruby -r tk -e "TkFont.families.each{|font| puts font}" > allfonts

$ cat allfonts | sort -u
$ head systemfonts
Acadian!"
Acadian™
....

Shallow test of puppet:
$ strace -o puppet.trace puppet help
.....
$ grep libruby puppet.trace
openat(AT_FDCWD, "/lib64/libruby.so.2.7", O_RDONLY|O_CLOEXEC) = 3

These are all shallow tests but it all seems to work.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2022-12-11 22:11:40 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-12-13 02:17:46 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-12-13 23:10:44 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0454.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED