Bug 11276 - ruby-RubyGems new security issue CVE-2013-4287
: ruby-RubyGems new security issue CVE-2013-4287
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/567934/
: has_procedure mga3-64-ok mga3-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-23 19:40 CEST by David Walser
Modified: 2013-10-10 00:51 CEST (History)
4 users (show)

See Also:
Source RPM: ruby-RubyGems-1.8.24-9.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-09-23 19:40:52 CEST
Fedora has issued an advisory on September 11:
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115920.html

The issue is fixed upstream in 2.0.8, which Fedora updated to.

For Fedora 18 (with version 1.8.x), they fixed it with this patch:
http://pkgs.fedoraproject.org/cgit/rubygems.git/plain/rubygems-1.8.25-CVE-2013-4287.patch?h=f18&id=45c917db568cb88d3d37fe858aca0024bf10461f

That should apply to our package in Mageia 3.  It was also fixed upstream in 1.8.26.  Here is the RedHat bug for this:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4287

I don't believe Mageia 2 is affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-09-24 04:39:57 CEST
Updated packages uploaded for Mageia 3 and Cauldron by Funda.  Thanks Funda!

Advisory:
========================

Updated ruby-RubyGems package fixes security vulnerability:

RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to a backtracking regular expression.  For specially
crafted RubyGems versions attackers can cause denial of service through CPU
consumption (CVE-2013-4287).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4287
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115886.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4287
========================

Updated packages in core/updates_testing:
========================
ruby-RubyGems-1.8.26-1.mga3

from ruby-RubyGems-1.8.26-1.mga3.src.rpm
Comment 2 claire robinson 2013-09-24 17:45:17 CEST
This is to do with 'gem build' mainly. There is some testing info for that here
http://guides.rubygems.org/make-your-own-gem/
Comment 3 claire robinson 2013-09-24 17:47:56 CEST
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1002364#c14

They seem to be expecting an updated patch, can this be confirmed ready before we go further please.
Comment 4 David Walser 2013-09-24 18:06:37 CEST
Nice catch.  The gmane thread they linked indicates that CVE-2013-4363 has been allocated for the remaining issues, which will be fixed in 1.8.27 and 2.0.10.  There are also patches linked on the thread.

I'll assign back to Funda until the updated versions are available.
Comment 5 David Walser 2013-10-04 16:19:46 CEST
Fedora has issued an advisory for CVE-2013-4363 on September 26:
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/117998.html

from http://lwn.net/Vulnerabilities/569468/
Comment 6 David Walser 2013-10-04 18:59:49 CEST
Upstream versions 1.8.27 and 2.0.10 to fix this are now available:
https://bugzilla.redhat.com/show_bug.cgi?id=1009720#c1
Comment 7 David Walser 2013-10-06 15:58:11 CEST
*** Bug 11386 has been marked as a duplicate of this bug. ***
Comment 8 David Walser 2013-10-06 16:02:18 CEST
Assigning back to QA now that it's been updated again.

Advisory:
========================

Updated ruby-RubyGems package fixes security vulnerability:

RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to a backtracking regular expression.  For specially
crafted RubyGems versions attackers can cause denial of service through CPU
consumption (CVE-2013-4287, CVE-2013-4363).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4363
http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html
http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115886.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4287
========================

Updated packages in core/updates_testing:
========================
ruby-RubyGems-1.8.27-1.mga3

from ruby-RubyGems-1.8.27-1.mga3.src.rpm
Comment 9 claire robinson 2013-10-09 13:57:57 CEST
Testing complete mga3 64

$ git clone http://github.com/qrush/hola
Cloning into 'hola'...
remote: Counting objects: 29, done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 29 (delta 5), reused 24 (delta 1)
Unpacking objects: 100% (29/29), done.
$ ls
hola/
$ cd hola
$ ls
bin/  hola.gemspec  lib/  Rakefile  test/

$ gem build hola.gemspec 
  Successfully built RubyGem
  Name: hola
  Version: 0.0.1
  File: hola-0.0.1.gem

$ ls
bin/  hola-0.0.1.gem  hola.gemspec  lib/  Rakefile  test/

$ gem install ./hola-0.0.1.gem 
Successfully installed hola-0.0.1
1 gem installed
Installing ri documentation for hola-0.0.1...
Installing RDoc documentation for hola-0.0.1...

$ irb
irb(main):001:0> require 'hola'
=> true
irb(main):002:0> quit()

 gem uninstall hola
Successfully uninstalled hola-0.0.1
Comment 10 claire robinson 2013-10-09 14:18:41 CEST
Testing complete mga3 32

Validating. Advisory uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!
Comment 11 Thomas Backlund 2013-10-10 00:51:11 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0297.html

Note You need to log in before you can comment on or make changes to this bug.