Bug 10637 - ruby new security issue CVE-2013-4073
Summary: ruby new security issue CVE-2013-4073
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/556771/
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-06-27 19:39 CEST by David Walser
Modified: 2013-07-26 13:30 CEST (History)
3 users (show)

See Also:
Source RPM: ruby-1.9.3.p429-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-27 19:39:24 CEST
Upstream has issued an advisory today (June 27):
http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/

The issue is fixed in 1.8.7.p374 and 1.9.3.p448.

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-06-27 19:39:34 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-06-28 13:57:38 CEST
1.9.3.p448 is in Mageia 3 updates_testing.

Unfortunately the build system won't let that one be pushed to Cauldron.  Cauldron SVN has 2.0.0.p247, which is only built in updates_testing there and apparently isn't ready to go into release yet.

Mageia 2 still needs fixed too.

Currently built:
ruby-1.9.3.p448-1.mga3
libruby1.9-1.9.3.p448-1.mga3
ruby-doc-1.9.3.p448-1.mga3
ruby-devel-1.9.3.p448-1.mga3
ruby-tk-1.9.3.p448-1.mga3
ruby-irb-1.9.3.p448-1.mga3

from ruby-1.9.3.p448-1.mga3.src.rpm
Comment 2 David Walser 2013-06-28 15:12:40 CEST
Funda also rebuilt a couple of packages because of the ruby update:
ruby-linecache19-0.5.13-5.1.mga3
ruby-linecache19-doc-0.5.13-5.1.mga3
ruby-ruby-debug-base19-0.11.26-5.1.mga3
ruby-ruby-debug-base19-doc-0.11.26-5.1.mga3

from SRPMS:
ruby-linecache19-0.5.13-5.1.mga3.src.rpm
ruby-ruby-debug-base19-0.11.26-5.1.mga3.src.rpm
David Walser 2013-06-28 18:45:07 CEST

URL: (none) => http://lwn.net/Vulnerabilities/556771/

Comment 3 David Walser 2013-07-03 12:19:19 CEST
Fixed in Cauldron in ruby-1.9.3.p448-1.mga4.

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 4 David Walser 2013-07-11 17:40:57 CEST
Ubuntu has issued an advisory for this on July 9:
http://www.ubuntu.com/usn/usn-1902-1/

We still need an update candidate for Mageia 2 to be built.
Comment 5 David Walser 2013-07-19 15:25:05 CEST
Patched package uploaded for Mageia 2.

Advisory:
========================

Updated ruby packages fix security vulnerability:

A vulnerability in Rubyâs SSL client that could allow man-in-the-middle
attackers to spoof SSL servers via valid certificate issued by a trusted
certification authority (CVE-2013-4073).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073
http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
http://www.ubuntu.com/usn/usn-1902-1/
========================

Updated packages in core/updates_testing:
========================
ruby-1.8.7.p358-1.3.mga2
ruby-doc-1.8.7.p358-1.3.mga2
ruby-devel-1.8.7.p358-1.3.mga2
ruby-tk-1.8.7.p358-1.3.mga2
ruby-1.9.3.p448-1.mga3
libruby1.9-1.9.3.p448-1.mga3
ruby-doc-1.9.3.p448-1.mga3
ruby-devel-1.9.3.p448-1.mga3
ruby-tk-1.9.3.p448-1.mga3
ruby-irb-1.9.3.p448-1.mga3
ruby-linecache19-0.5.13-5.1.mga3
ruby-linecache19-doc-0.5.13-5.1.mga3
ruby-ruby-debug-base19-0.11.26-5.1.mga3
ruby-ruby-debug-base19-doc-0.11.26-5.1.mga3

from SRPMS:
ruby-1.8.7.p358-1.3.mga2.src.rpm
ruby-1.9.3.p448-1.mga3.src.rpm
ruby-linecache19-0.5.13-5.1.mga3.src.rpm
ruby-ruby-debug-base19-0.11.26-5.1.mga3.src.rpm

CC: (none) => fundawang
Assignee: fundawang => qa-bugs
Severity: normal => major

Comment 6 David Walser 2013-07-19 22:13:10 CEST
Note to QA: the patches to fix this also include patches to the build-time test suite to verify the fix.  They are run at build time and did pass.  For the Mageia 2 package, verifying that it installs cleanly should be sufficient.  For Mageia 3, since we updated rather than patching, a little more testing to make sure ruby stuff is still operating normally would be good.
Comment 7 claire robinson 2013-07-22 09:11:58 CEST
No PoC. Just testing the updates.

Testing complete mga3 64

Tested with a little ruby script..
-------------
#!/usr/bin/ruby
class Total
        def initialize(initial_amount)
                @total=initial_amount
        end

        def increaseBy(increase)
                @total += increase
        end

        def multiplyBy(increase)
                @total *= increase
        end

        def setTo(amount)
                @total = amount
        end

        def getTotal() return @total; end
        def hasTotal() return @total!=nil; end
end

total = Total.new(0)
for ss in 1..4
        total.increaseBy(ss)    
        puts total.getTotal if total.hasTotal
end
print "Final total: ", total.getTotal, "\n" if total.hasTotal
-------------

It gives an output like this..
$ ruby rubytest.rb 
1
3
6
10
Final total: 10

Also ruby-tk and ruby-irb from here: http://chmeee.dyndns.org/learntk/HelloWorld

$ irb
irb(main):001:0> require 'tk'
=> true
irb(main):002:0> root = TkRoot.new() { title "Hello, world!" }
=> #<Tk::Root:0x000000016df910 @path=".">
irb(main):003:0> Tk.mainloop()
=> nil
irb(main):004:0> quit()

Opens a window titled 'Hello, World!'.

Some docs on ruby-linecache19 here:
http://rubydoc.info/gems/linecache19/0.5.12/frames

$ irb
irb(main):001:0> require 'linecache19'
=> true
irb(main):002:0> lines = LineCache::getlines('~/testcases/ruby/rubytest.rb')
=> ["#!/usr/bin/ruby\n", "class Total\n", "\tdef initialize(initial_amount)\n", "\t\t@total=initial_amount\n", "\tend\n", "\n", "\tdef increaseBy(increase)\n", "\t\t@total += increase\n", "\tend\n", "\n", "\tdef multiplyBy(increase)\n", "\t\t@total *= increase\n", "\tend\n", "\n", "\tdef setTo(amount)\n", "\t\t@total = amount\n", "\tend\n", "\n", "\tdef getTotal() return @total; end\n", "\tdef hasTotal() return @total!=nil; end\n", "end\n", "\n", "total = Total.new(0)\n", "for ss in 1..4\n", "\ttotal.increaseBy(ss)\t\n", "\tputs total.getTotal if total.hasTotal\n", "end\n", "print \"Final total: \", total.getTotal, \"\\n\" if total.hasTotal\n"]
irb(main):003:0> LineCache::clear_file_cache
=> {}
irb(main):004:0> quit


Some info on ruby-debug-base19 here:
http://rubydoc.info/gems/ruby-debug-base19/0.11.25/frames

redebug is provided in ruby-ruby-debug19

# urpmi ruby-ruby-debug19
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  ruby-columnize                 0.3.6        6.mga3        noarch  
  ruby-ruby-debug19              0.11.6       5.mga3        noarch  
158KB of additional disk space will be used.
48KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y

$ rdebug rubytest.rb
/home/claire/testcases/ruby/rubytest.rb:2
class Total
(rdb:1) help
ruby-debug help v0.11
Type 'help <command-name>' for help on a specific command

Available commands:
backtrace  delete   enable  help  list    ps       save    thread     where
break      disable  eval    info  method  putl     set     trace    
catch      display  exit    irb   next    quit     show    undisplay
condition  down     finish  jump  p       reload   source  up       
continue   edit     frame   kill  pp      restart  step    var      

(rdb:1) continue
1
3
6
10
Final total: 10

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok

Comment 8 claire robinson 2013-07-22 09:38:16 CEST
Testing complete mga2 32

Tested using the same scripts for basic ruby and ruby-tk and pasted one into irb.
claire robinson 2013-07-22 09:38:28 CEST

Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga3-64-ok

Comment 9 claire robinson 2013-07-22 09:59:43 CEST
Testing complete mga2 64

Whiteboard: MGA2TOO has_procedure mga2-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok

Comment 10 claire robinson 2013-07-22 10:30:32 CEST
Testing complete mga3 32

Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok

Comment 11 claire robinson 2013-07-22 10:41:55 CEST
Validating. Advisory in comment 5 uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!
claire robinson 2013-07-22 10:42:04 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Thomas Backlund 2013-07-26 13:30:28 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0229.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.