Bug 4031

Summary: Ruby needs to be updated to 1.8.7-p357 for CVE-2011-4815, CVE-2011-2705 and CVE-2011-2686
Product: Mageia Reporter: Pascal Terjan <pterjan>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, luigiwalser, pterjan, shikamaru, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: ruby CVE:
Status comment:

Description Pascal Terjan 2012-01-05 14:28:40 CET 
CVE-2011-2686
Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. NOTE: this issue exists because of a regression during Ruby 1.8.6 development.

CVE-2011-2705
The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.

CVE-2011-4815
Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Pascal Terjan 2012-01-05 14:48:07 CET

Assignee: bugsquad => pterjan

Comment 1 Manuel Hiebel 2012-01-16 17:06:53 CET 
No news ?

see also bug 4000

CC: (none) => shikamaru
Source RPM: (none) => ruby

Comment 2 Manuel Hiebel 2012-02-01 11:45:24 CET 
Ping ?
Comment 3 Pascal Terjan 2012-02-13 00:32:12 CET 
ruby-1.8.7.p357-1.mga1 has been submitted to updates_testing, it contains fixes for those three CVE and for CVE-2011-0188 (from bug #4000)

CVE-2011-0188
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an integer truncation issue.
Comment 4 Pascal Terjan 2012-02-13 00:32:38 CET 
*** Bug 4000 has been marked as a duplicate of this bug. ***

CC: (none) => luigiwalser

Comment 5 David Walser 2012-02-13 00:57:41 CET 
Assigning to QA.

Advisory:
========================

Updated ruby packages fix security vulnerabilities:

CVE-2011-0188
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby does
not properly allocate memory, which allows context-dependent attackers to
execute arbitrary code or cause a denial of service (application crash) via
vectors involving creation of a large BigDecimal value within a 64-bit process,
related to an integer truncation issue.

CVE-2011-2686
Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes
it easier for context-dependent attackers to predict the values of random
numbers by leveraging knowledge of the number sequence obtained in a different
child process, a related issue to CVE-2003-0900. NOTE: this issue exists
because of a regression during Ruby 1.8.6 development.

CVE-2011-2705
The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before
1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization,
which makes it easier for context-dependent attackers to predict the result
string by leveraging knowledge of random strings obtained in an earlier process
with the same PID.

CVE-2011-4815
Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the
ability to trigger hash collisions predictably, which allows context-dependent
attackers to cause a denial of service (CPU consumption) via crafted input to
an application that maintains a hash table.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2705
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4815
========================

Updated packages in core/updates_testing:
========================
ruby-1.8.7.p357-1.mga1
ruby-doc-1.8.7.p357-1.mga1
ruby-devel-1.8.7.p357-1.mga1
ruby-tk-1.8.7.p357-1.mga1

from ruby-1.8.7.p357-1.mga1.src.rpm

CC: (none) => pterjan
Assignee: pterjan => qa-bugs

Comment 6 Dave Hodgins 2012-02-13 04:21:17 CET 
Testing complete on i586 for the srpm
ruby-1.8.7.p357-1.mga1.src.rpm

No poc, so just testing that the program booh, which uses ruby works.

CC: (none) => davidwhodgins

Comment 7 claire robinson 2012-02-13 13:58:45 CET 
Tested Ok with booh x86_64

Validating.

Could sysadmin please push from core/updates_testing to core/updates

See comment 5 for advisory and srpm.

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2012-02-14 12:40:42 CET 
update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED