Bug 7769

Summary: ruby new security issues CVE-2012-4466 and CVE-2012-4481
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: ed_rus099, oe, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/519492/
Whiteboard: MGA1TOO has_procedure mga2-64-OK mga2-32-OK mga1-32-OK mga1-64-OK
Source RPM: ruby-1.8.7.p358-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-10-11 15:24:44 CEST 
Ubuntu has issued an advisory on October 10:
http://www.ubuntu.com/usn/usn-1603-1/

Patched packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated ruby packages fix security vulnerabilities:

Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed
untainted strings to be modified in protective safe levels. An attacker
could use this flaw to bypass intended access restrictions (CVE-2012-4466,
CVE-2012-4481).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4481
http://www.ubuntu.com/usn/usn-1603-1/
========================

Updated packages in core/updates_testing:
========================
ruby-1.8.7.p357-1.1.mga1
ruby-doc-1.8.7.p357-1.1.mga1
ruby-devel-1.8.7.p357-1.1.mga1
ruby-tk-1.8.7.p357-1.1.mga1
ruby-1.8.7.p358-1.1.mga2
ruby-doc-1.8.7.p358-1.1.mga2
ruby-devel-1.8.7.p358-1.1.mga2
ruby-tk-1.8.7.p358-1.1.mga2

from SRPMS:
ruby-1.8.7.p357-1.1.mga1.src.rpm
ruby-1.8.7.p358-1.1.mga2.src.rpm
David Walser 2012-10-11 15:24:52 CEST

Whiteboard: (none) => MGA1TOO

Comment 1 claire robinson 2012-10-11 16:13:08 CEST 
No PoC's that I can find so just checking with some simple scripts which test ruby-tk and ruby

http://chmeee.dyndns.org/learntk/HelloWorld

require 'tk'
root = TkRoot.new() { title "Hello, world!" }
Tk.mainloop()

The Hello World script in irb

$ irb
irb(main):001:0> require 'tk'
=> true
irb(main):002:0> root = TkRoot.new() { title "Hello, world!" }
=> #<Tk::Root:0x7f564f0ce188 @path=".">
irb(main):003:0> Tk.mainloop()
=> true

This opens a little window.

Also a simple script..

#!/usr/bin/ruby
class Total
	def initialize(initial_amount)
		@total=initial_amount
	end

	def increaseBy(increase)
		@total += increase
	end

	def multiplyBy(increase)
		@total *= increase
	end

	def setTo(amount)
		@total = amount
	end

	def getTotal() return @total; end
	def hasTotal() return @total!=nil; end
end

total = Total.new(0)
for ss in 1..4
	total.increaseBy(ss)	
	puts total.getTotal if total.hasTotal
end
print "Final total: ", total.getTotal, "\n" if total.hasTotal

Which outputs..

$ ruby rubytest.rb
1
3
6
10
Final total: 10


Testing complete Mageia 2 x86_64

Whiteboard: MGA1TOO => MGA1TOO mga2-64-OK

claire robinson 2012-10-11 18:19:47 CEST

Whiteboard: MGA1TOO mga2-64-OK => MGA1TOO has_procedure mga2-64-OK

Comment 2 Eduard Beliaev 2012-10-11 18:25:33 CEST 
Testing complete on Mageia 2 i586 with the procedure that Claire used.
Eduard Beliaev 2012-10-11 18:25:46 CEST

CC: (none) => ed_rus099
Whiteboard: MGA1TOO has_procedure mga2-64-OK => MGA1TOO has_procedure mga2-64-OK mga2-32-OK

David Walser 2012-10-11 23:56:15 CEST

URL: (none) => http://lwn.net/Vulnerabilities/519492/

Comment 3 claire robinson 2012-10-13 16:33:44 CEST 
Testing complete mga1 32

Whiteboard: MGA1TOO has_procedure mga2-64-OK mga2-32-OK => MGA1TOO has_procedure mga2-64-OK mga2-32-OK mga1-32-OK

Comment 4 claire robinson 2012-10-13 19:10:27 CEST 
Testing complete mga1 64

Validating

Advisory and srpms in comment 0

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure mga2-64-OK mga2-32-OK mga1-32-OK => MGA1TOO has_procedure mga2-64-OK mga2-32-OK mga1-32-OK mga1-64-OK

Comment 5 Thomas Backlund 2012-10-14 21:21:40 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0294

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 6 David Walser 2013-07-26 17:37:05 CEST 
*** Bug 10845 has been marked as a duplicate of this bug. ***

CC: (none) => oe