Fedora has issued an advisory on September 11: https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115920.html The issue is fixed upstream in 2.0.8, which Fedora updated to. For Fedora 18 (with version 1.8.x), they fixed it with this patch: http://pkgs.fedoraproject.org/cgit/rubygems.git/plain/rubygems-1.8.25-CVE-2013-4287.patch?h=f18&id=45c917db568cb88d3d37fe858aca0024bf10461f That should apply to our package in Mageia 3. It was also fixed upstream in 1.8.26. Here is the RedHat bug for this: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4287 I don't believe Mageia 2 is affected. Reproducible: Steps to Reproduce:
CC: (none) => pterjanWhiteboard: (none) => MGA3TOO
Updated packages uploaded for Mageia 3 and Cauldron by Funda. Thanks Funda! Advisory: ======================== Updated ruby-RubyGems package fixes security vulnerability: RubyGems validates versions with a regular expression that is vulnerable to denial of service due to a backtracking regular expression. For specially crafted RubyGems versions attackers can cause denial of service through CPU consumption (CVE-2013-4287). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4287 https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115886.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4287 ======================== Updated packages in core/updates_testing: ======================== ruby-RubyGems-1.8.26-1.mga3 from ruby-RubyGems-1.8.26-1.mga3.src.rpm
CC: (none) => fundawangVersion: Cauldron => 3Assignee: fundawang => qa-bugsWhiteboard: MGA3TOO => (none)
This is to do with 'gem build' mainly. There is some testing info for that here http://guides.rubygems.org/make-your-own-gem/
Whiteboard: (none) => has_procedure
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1002364#c14 They seem to be expecting an updated patch, can this be confirmed ready before we go further please.
Nice catch. The gmane thread they linked indicates that CVE-2013-4363 has been allocated for the remaining issues, which will be fixed in 1.8.27 and 2.0.10. There are also patches linked on the thread. I'll assign back to Funda until the updated versions are available.
CC: (none) => qa-bugsAssignee: qa-bugs => fundawang
Fedora has issued an advisory for CVE-2013-4363 on September 26: https://lists.fedoraproject.org/pipermail/package-announce/2013-October/117998.html from http://lwn.net/Vulnerabilities/569468/
Upstream versions 1.8.27 and 2.0.10 to fix this are now available: https://bugzilla.redhat.com/show_bug.cgi?id=1009720#c1
*** Bug 11386 has been marked as a duplicate of this bug. ***
Assigning back to QA now that it's been updated again. Advisory: ======================== Updated ruby-RubyGems package fixes security vulnerability: RubyGems validates versions with a regular expression that is vulnerable to denial of service due to a backtracking regular expression. For specially crafted RubyGems versions attackers can cause denial of service through CPU consumption (CVE-2013-4287, CVE-2013-4363). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4287 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4363 http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115886.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4287 ======================== Updated packages in core/updates_testing: ======================== ruby-RubyGems-1.8.27-1.mga3 from ruby-RubyGems-1.8.27-1.mga3.src.rpm
CC: qa-bugs => (none)Assignee: fundawang => qa-bugs
Testing complete mga3 64 $ git clone http://github.com/qrush/hola Cloning into 'hola'... remote: Counting objects: 29, done. remote: Compressing objects: 100% (22/22), done. remote: Total 29 (delta 5), reused 24 (delta 1) Unpacking objects: 100% (29/29), done. $ ls hola/ $ cd hola $ ls bin/ hola.gemspec lib/ Rakefile test/ $ gem build hola.gemspec Successfully built RubyGem Name: hola Version: 0.0.1 File: hola-0.0.1.gem $ ls bin/ hola-0.0.1.gem hola.gemspec lib/ Rakefile test/ $ gem install ./hola-0.0.1.gem Successfully installed hola-0.0.1 1 gem installed Installing ri documentation for hola-0.0.1... Installing RDoc documentation for hola-0.0.1... $ irb irb(main):001:0> require 'hola' => true irb(main):002:0> quit() gem uninstall hola Successfully uninstalled hola-0.0.1
Whiteboard: has_procedure => has_procedure mga3-64-ok
Testing complete mga3 32 Validating. Advisory uploaded. Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0297.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED