| Summary: | ruby new security issues CVE-2023-28755 and CVE-2023-28756 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Pascal Terjan <pterjan> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | nicolas.salguero, tarazed25 |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8TOO MGA8-64-OK | ||
| Source RPM: | ruby-3.1.3-43.mga9.src.rpm, ruby-time-0.2.0-1.mga9.src.rpm | CVE: | |
| Status comment: | Fixed upstream in ruby 3.1.4 and ruby-time 0.2.2 | ||
|
Description
David Walser
2023-03-30 20:21:05 CEST
David Walser
2023-03-30 20:21:18 CEST
Whiteboard:
(none) =>
MGA8TOO ruby 3.1.4 submitted for cauldron/updates_testing and move requested
ruby-time 0.2.2 submitted for cauldron/updates_testing and move requested
ruby 2.7.8 submitted for 8/updates_testing
Test for CVE-2023-28755:
Before, time is exponential:
$ for t in 5 10 20; do time ruby -ruri -e 'begin; URI.parse("https://example.com/dir/" + "a" * '$t'0000 + "/##.jpg"); rescue URI::InvalidURIError; end'; done
real 0m0.859s
user 0m0.858s
sys 0m0.000s
real 0m3.216s
user 0m3.205s
sys 0m0.010s
real 0m13.181s
user 0m13.171s
sys 0m0.010s
After, it no longer get slower as the number grows:
$ for t in 5 10 20; do time ruby -ruri -e 'begin; URI.parse("https://example.com/dir/" + "a" * '$t'0000 + "/##.jpg"); rescue URI::InvalidURIError; end'; done
real 0m0.059s
user 0m0.058s
sys 0m0.000s
real 0m0.058s
user 0m0.058s
sys 0m0.000s
real 0m0.065s
user 0m0.065s
sys 0m0.000s
Test for CVE-2023-28756:
Before, time is exponential:
$ for t in 5 10 20; do time ruby -rtime -e 'begin; Time.rfc2822("0 Feb 00 00 :00" + " " * '$t'000); rescue ArgumentError; end'; done
real 0m1.147s
user 0m1.147s
sys 0m0.000s
real 0m4.510s
user 0m4.500s
sys 0m0.010s
real 0m17.502s
user 0m17.492s
sys 0m0.010s
After, it no longer get slower as the number grows:
$ for t in 5 10 20; do time ruby -rtime -e 'begin; Time.rfc2822("0 Feb 00 00 :00" + " " * '$t'000); rescue ArgumentError; end'; done
real 0m0.050s
user 0m0.050s
sys 0m0.000s
real 0m0.049s
user 0m0.049s
sys 0m0.000s
real 0m0.051s
user 0m0.051s
sys 0m0.000s
ruby-2.7.8-33.6.mga8 libruby2.7-2.7.8-33.6.mga8 ruby-rdoc-6.2.1.1-33.6.mga8 ruby-devel-2.7.8-33.6.mga8 ruby-bundler-2.2.24-33.6.mga8 ruby-RubyGems-3.1.2-33.6.mga8 ruby-openssl-2.1.4-33.6.mga8 ruby-test-unit-3.3.4-33.6.mga8 ruby-rake-13.0.1-33.6.mga8 ruby-irb-2.7.8-33.6.mga8 ruby-psych-3.1.0-33.6.mga8 ruby-bigdecimal-2.0.0-33.6.mga8 ruby-json-2.3.0-33.6.mga8 ruby-xmlrpc-0.3.0-33.6.mga8 ruby-net-telnet-0.2.0-33.6.mga8 ruby-io-console-0.5.6-33.6.mga8 ruby-power_assert-1.1.7-33.6.mga8 ruby-did_you_mean-1.4.0-33.6.mga8 ruby-doc-2.7.8-33.6.mga8 from ruby-2.7.8-33.6.mga8.src.rpm Fedora has issued an advisory for this on April 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/ Severity:
normal =>
major Ubuntu has issued an advisory for this on May 4: https://ubuntu.com/security/notices/USN-6055-1 (In reply to David Walser from comment #5) > Ubuntu has issued an advisory for this on May 4: > https://ubuntu.com/security/notices/USN-6055-1 and a regression fix on May 5: https://ubuntu.com/security/notices/USN-6055-2 Ubuntu has issued an advisory for this on May 18: https://ubuntu.com/security/notices/USN-6087-1 Debian-LTS has issued an advisory for this on June 6: https://www.debian.org/lts/security/2023/dla-3447 Ubuntu has issued an advisory for this today (June 21): https://ubuntu.com/security/notices/USN-6181-1 Also note there's CVE-2023-36617, due to an incomplete fix for CVE-2023-28755: https://ubuntu.com/security/notices/USN-6219-1 https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/ Mageia 8, x86_64
Missed this one somehow.
Before the update:
CVE-2023-28755
$ for t in 5 10 20; do time ruby -ruri -e 'begin; URI.parse("https://example.com/dir/" + "a" * '$t'0000 + "/##.jpg"); rescue URI::InvalidURIError; end'; done
real 0m1.677s
user 0m1.659s
sys 0m0.015s
real 0m7.592s
user 0m7.580s
sys 0m0.012s
real 0m31.993s
user 0m31.980s
sys 0m0.012s
CVE-2023-28756
$ for t in 5 10 20; do time ruby -rtime -e 'begin; Time.rfc2822("0 Feb 00 00 :00" + " " * '$t'000); rescue ArgumentError; end'; done
real 0m1.265s
user 0m1.251s
sys 0m0.012s
real 0m4.795s
user 0m4.786s
sys 0m0.008s
real 0m18.995s
user 0m18.985s
sys 0m0.009s
After the update:
CVE-2023-28755:
for t in 5 10 20; do time ruby -ruri -e 'begin; URI.parse("https://example.com/dir/" + "a" * '$t'0000 + "/##.jpg"); rescue URI::InvalidURIError; end'; done
real 0m0.085s
user 0m0.074s
sys 0m0.011s
real 0m0.082s
user 0m0.068s
sys 0m0.014s
real 0m0.061s
user 0m0.051s
sys 0m0.010s
CVE-2023-28756:
$ for t in 5 10 20; do time ruby -rtime -e 'begin; Time.rfc2822("0 Feb 00 00 :00" + " " * '$t'000); rescue ArgumentError; end'; done
real 0m0.079s
user 0m0.065s
sys 0m0.014s
real 0m0.045s
user 0m0.029s
sys 0m0.016s
real 0m0.084s
user 0m0.070s
sys 0m0.014s
Those issues are fixed for Mageia 8.CC:
(none) =>
tarazed25 Referring to comment 11; Final ruby installation contains: lib64ruby2.7-2.7.8-33.6.mga8 ruby-json-2.3.0-33.6.mga8 ruby-xmlrpc-0.3.0-33.6.mga8 ruby-io-console-0.5.6-33.6.mga8 ruby-test-unit-3.3.4-33.6.mga8 ruby-devel-2.7.8-33.6.mga8 ruby-openssl-2.1.4-33.6.mga8 ruby-power_assert-1.1.7-33.6.mga8 ruby-tk-0.2.0-6.mga8 ruby-bigdecimal-2.0.0-33.6.mga8 ruby-bundler-2.2.24-33.6.mga8 ruby-did_you_mean-1.4.0-33.6.mga8 ruby-irb-2.7.8-33.6.mga8 ruby-rdoc-6.2.1.1-33.6.mga8 ruby-doc-2.7.8-33.6.mga8 ruby-psych-3.1.0-33.6.mga8 ruby-2.7.8-33.6.mga8 ruby-RubyGems-3.1.2-33.6.mga8 ruby-net-telnet-0.2.0-33.6.mga8 ruby-rake-13.0.1-33.6.mga8 Mageia 8 EOL Resolution:
(none) =>
OLD |