Bug 9728

Summary: ruby-crack new security issue CVE-2013-1800
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Funda Wang <fundawang>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: qa-bugs, shikamaru
Version: 2   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/593862/
Whiteboard:
Source RPM: ruby-crack-0.1.8-2.mga1.src.rpm CVE:
Status comment:

Description David Walser 2013-04-14 18:17:58 CEST 
An advisory was issued upstream "a month ago" (according to github):
https://github.com/rubysec/ruby-advisory-db/issues/25

It's fixed upstream in 0.3.2 and with the commit linked here:
https://bugzilla.redhat.com/show_bug.cgi?id=917236

Funda patched it in Cauldron, but Mageia 2 is also vulnerable.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-04-16 18:56:14 CEST 
Patched package uploaded for Mageia 2.

Advisory:
========================

Updated ruby-crack packages fix security vulnerability:

The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of
string values, which might allow remote attackers to conduct object-injection
attacks and execute arbitrary code, or cause a denial of service (memory and
CPU consumption) by leveraging Action Pack support for (1) YAML type
conversion or (2) Symbol type conversion (CVE-2013-1800).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1800
https://github.com/rubysec/ruby-advisory-db/issues/25
========================

Updated packages in core/updates_testing:
========================
ruby-crack-0.1.8-2.1.mga2
ruby-crack-doc-0.1.8-2.1.mga2

from ruby-crack-0.1.8-2.1.mga2.src.rpm

Assignee: fundawang => qa-bugs

Comment 2 claire robinson 2013-04-25 11:24:20 CEST 
Testing mga2 64

Assigning back to you David, sorry.

Unable to make this work again. Appears to be the same issue as other ruby packages in mga2.

Using example from file:///usr/lib/ruby/gems/1.8/doc/crack-0.1.8/rdoc/index.html
and http://rubydoc.info/gems/crack/0.3.2/frames

$ irb
irb(main):001:0> require 'crack/json'
LoadError: no such file to load -- crack/json
        from (irb):1:in `require'
        from (irb):1
        from :0
irb(main):002:0> require 'crack'
LoadError: no such file to load -- crack
        from (irb):2:in `require'
        from (irb):2
        from :0
irb(main):003:0> require 'crack/xml'
LoadError: no such file to load -- crack/xml
        from (irb):3:in `require'
        from (irb):3
        from :0
irb(main):004:0> Crack::XML.parse("<tag>This is the contents</tag>")
NameError: uninitialized constant Crack
        from (irb):4
        from :0
irb(main):005:0> exit


Strace shows it is searching wrong paths for this one too.

$ strace -o strace.out irb
irb(main):001:0> require 'crack'
LoadError: no such file to load -- crack
        from (irb):1:in `require'
        from (irb):1
        from :0
irb(main):002:0> exit

$ grep crack strace.out
stat("/usr/lib/ruby/site_ruby/1.8/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/1.8/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux-gnu/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux-gnu/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/vendor_ruby/1.8/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/vendor_ruby/1.8/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/vendor_ruby/1.8/x86_64-linux/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/vendor_ruby/1.8/x86_64-linux/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/vendor_ruby/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/vendor_ruby/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/1.8/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/1.8/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/1.8/x86_64-linux/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/1.8/x86_64-linux/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/1.8/x86_64-linux-gnu/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/1.8/x86_64-linux-gnu/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory)
stat("./crack.rb", 0x7fffa3dcedf0)      = -1 ENOENT (No such file or directory)
stat("./crack.so", 0x7fffa3dcedf0)      = -1 ENOENT (No such file or directory)
write(1, "no such file to load -- crack", 29) = 29


$ urpmf ruby-crack: --media Testing
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack.rb
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack/core_extensions.rb
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack/json.rb
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack/xml.rb
ruby-crack:/usr/lib/ruby/gems/1.8/specifications/crack-0.1.8.gemspec
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack.rb
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack/core_extensions.rb
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack/json.rb
ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack/xml.rb
ruby-crack:/usr/lib/ruby/gems/1.8/specifications/crack-0.1.8.gemspec

CC: (none) => qa-bugs
Assignee: qa-bugs => luigiwalser

Comment 3 David Walser 2013-04-25 13:40:01 CEST 
Assigning to Funda then.

CC: (none) => shikamaru
Assignee: luigiwalser => fundawang

Comment 4 David Walser 2013-11-22 16:00:29 CET 
Closing this now due to Mageia 2 EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

Status: NEW => RESOLVED
Resolution: (none) => OLD

David Walser 2014-04-08 19:03:15 CEST

URL: (none) => http://lwn.net/Vulnerabilities/593862/