Bug 11734 - ruby new security issue CVE-2013-4164
: ruby new security issue CVE-2013-4164
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/575040/
: advisory MGA3-64-OK MGA3-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-22 14:39 CET by David Walser
Modified: 2014-01-06 02:35 CET (History)
4 users (show)

See Also:
Source RPM: ruby-1.9.3.p448-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-11-22 14:39:49 CET
Upstream has issued an advisory today (November 22):
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/

The issue is fixed upstream for 2.0.x and 1.9.x, which we can update for Cauldron and Mageia 3:
https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/
https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/

Ruby 1.8.x (Mageia 2) is also affected, but there is no fix available at this time, and due to the EOL, we will not be able to provide a fix for Mageia 2.

Reproducible: 

Steps to Reproduce:
Comment 1 Funda Wang 2013-11-24 16:51:48 CET
I've already pushed the updated package into cauldron. Let this package for mga3 only.
Comment 2 David Walser 2013-11-24 16:55:44 CET
OK, fixed with a patch in ruby-2.0.0.p247-7.mga4 in Cauldron.
Comment 3 David Walser 2013-11-26 19:50:50 CET
RedHat has issued an advisory for this on November 25:
https://rhn.redhat.com/errata/RHSA-2013-1764.html
Comment 4 David Walser 2013-12-26 18:09:45 CET
Apparently Funda built the update for this for Mageia 3 and I never noticed.

Advisory:
========================

Updated ruby packages fix security vulnerability:

Charlie Somerville discovered that Ruby incorrectly handled floating point
number conversion. An attacker could possibly use this issue with an
application that converts text to floating point numbers to cause the
application to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2013-4164).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/
http://www.ubuntu.com/usn/usn-2035-1
========================

Updated packages in core/updates_testing:
========================
ruby-1.9.3.p484-1.mga3
libruby1.9-1.9.3.p484-1.mga3
ruby-doc-1.9.3.p484-1.mga3
ruby-devel-1.9.3.p484-1.mga3
ruby-tk-1.9.3.p484-1.mga3
ruby-irb-1.9.3.p484-1.mga3

from ruby-1.9.3.p484-1.mga3.src.rpm
Comment 5 Dave Hodgins 2014-01-05 21:01:54 CET
Just testing that ruby is working.

Testing complete on Mageia 3 i586 and x86_64 using the script from
https://bugs.mageia.org/show_bug.cgi?id=10637#c7

Someone from the sysadmin team please push 11734.adv to updates.
Comment 6 Thomas Backlund 2014-01-06 02:35:37 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0003.html

Note You need to log in before you can comment on or make changes to this bug.