Bug 11734 - ruby new security issue CVE-2013-4164
Summary: ruby new security issue CVE-2013-4164
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/575040/
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-11-22 14:39 CET by David Walser
Modified: 2014-01-06 02:35 CET (History)
4 users (show)

See Also:
Source RPM: ruby-1.9.3.p448-1.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-11-22 14:39:49 CET 
Upstream has issued an advisory today (November 22):
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/

The issue is fixed upstream for 2.0.x and 1.9.x, which we can update for Cauldron and Mageia 3:
https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/
https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/

Ruby 1.8.x (Mageia 2) is also affected, but there is no fix available at this time, and due to the EOL, we will not be able to provide a fix for Mageia 2.

Reproducible: 

Steps to Reproduce:
David Walser 2013-11-22 14:39:58 CET

Whiteboard: (none) => MGA3TOO

David Walser 2013-11-22 16:40:49 CET

Blocks: (none) => 11726

Comment 1 Funda Wang 2013-11-24 16:51:48 CET 
I've already pushed the updated package into cauldron. Let this package for mga3 only.

Version: Cauldron => 3
Blocks: 11726 => (none)
Source RPM: ruby-2.0.0.p247-6.mga4.src.rpm => ruby
Whiteboard: MGA3TOO => (none)

Comment 2 David Walser 2013-11-24 16:55:44 CET 
OK, fixed with a patch in ruby-2.0.0.p247-7.mga4 in Cauldron.

Source RPM: ruby => ruby-1.9.3.p448-1.mga3.src.rpm

Comment 3 David Walser 2013-11-26 19:50:50 CET 
RedHat has issued an advisory for this on November 25:
https://rhn.redhat.com/errata/RHSA-2013-1764.html

URL: (none) => http://lwn.net/Vulnerabilities/575040/

Comment 4 David Walser 2013-12-26 18:09:45 CET 
Apparently Funda built the update for this for Mageia 3 and I never noticed.

Advisory:
========================

Updated ruby packages fix security vulnerability:

Charlie Somerville discovered that Ruby incorrectly handled floating point
number conversion. An attacker could possibly use this issue with an
application that converts text to floating point numbers to cause the
application to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2013-4164).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/
http://www.ubuntu.com/usn/usn-2035-1
========================

Updated packages in core/updates_testing:
========================
ruby-1.9.3.p484-1.mga3
libruby1.9-1.9.3.p484-1.mga3
ruby-doc-1.9.3.p484-1.mga3
ruby-devel-1.9.3.p484-1.mga3
ruby-tk-1.9.3.p484-1.mga3
ruby-irb-1.9.3.p484-1.mga3

from ruby-1.9.3.p484-1.mga3.src.rpm

CC: (none) => fundawang
Assignee: fundawang => qa-bugs
Severity: normal => critical

Dave Hodgins 2014-01-02 17:38:49 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 5 Dave Hodgins 2014-01-05 21:01:54 CET 
Just testing that ruby is working.

Testing complete on Mageia 3 i586 and x86_64 using the script from
https://bugs.mageia.org/show_bug.cgi?id=10637#c7

Someone from the sysadmin team please push 11734.adv to updates.

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2014-01-06 02:35:37 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0003.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.