Upstream has issued an advisory today (October 27): https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/ The issue is fixed upstream in 2.0.0-p594 and 1.9.3-p550: https://www.ruby-lang.org/en/news/2014/10/27/ruby-2-0-0-p594-is-released/ https://www.ruby-lang.org/en/news/2014/10/27/ruby-1-9-3-p550-is-released/ Pascal has requested a freeze push for Cauldron. Mageia 3 and Mageia 4 also need to be updated. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. I see that Funda rebuilt ruby-rmagick in Cauldron. Is that necessary? Advisory: ======================== Updated ruby packages fix security vulnerability: Due to unrestricted entity expansion, when reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service (CVE-2014-8080). The Mageia 3 ruby package has been updated to 1.9.3-p550 and the Mageia 4 ruby package has been updated to 2.0.0-p594 to fix this issue and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8080 https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/ https://www.ruby-lang.org/en/news/2014/10/27/ruby-1-9-3-p550-is-released/ https://www.ruby-lang.org/en/news/2014/10/27/ruby-2-0-0-p594-is-released/ ======================== Updated packages in core/updates_testing: ======================== ruby-1.9.3.p550-1.mga3 libruby1.9-1.9.3.p550-1.mga3 ruby-doc-1.9.3.p550-1.mga3 ruby-devel-1.9.3.p550-1.mga3 ruby-tk-1.9.3.p550-1.mga3 ruby-irb-1.9.3.p550-1.mga3 ruby-2.0.0.p594-1.mga4 libruby2.0-2.0.0.p594-1.mga4 ruby-doc-2.0.0.p594-1.mga4 ruby-devel-2.0.0.p594-1.mga4 ruby-tk-2.0.0.p594-1.mga4 ruby-irb-2.0.0.p594-1.mga4 from SRPMS: ruby-1.9.3.p550-1.mga3.src.rpm ruby-2.0.0.p594-1.mga4.src.rpm
CC: (none) => fundawang, pterjanAssignee: pterjan => qa-bugs
[root@vega ~]# urpmi ruby (medium "Core Updates Testing (distrib5)") ruby 2.0.0.p594 1.mga4 x86_64 (medium "Core Updates Testing (distrib95)") ruby-tk 2.0.0.p594 1.mga4 x86_64 [root@vega ~]# urpmi ruby-devel (medium "Core Updates Testing (distrib5)") lib64ruby2.0 2.0.0.p594 1.mga4 x86_64 ruby-devel 2.0.0.p594 1.mga4 x86_64 [root@vega ~]# urpmi ruby-irb Marking ruby-irb as manually installed, it won't be auto-orphaned installing ruby-irb-2.0.0.p594-1.mga4.noarch.rpm from /var/cache/urpmi/rpms [root@vega ~]# urpmi ruby-doc installing ruby-doc-2.0.0.p594-1.mga4.noarch.rpm from /var/cache/urpmi/rpms Tried a couple of home-grown applications with Tk interfaces; these worked just as before. Need to think about PoC and REXML parser and to check the references. First impressions are that everything else works fine. A few simple tests: Rubygems is always installed by default. Tried installing a gem which had already been installed: gem install astro_moon Fetching: astro_moon-0.2.gem (100%) Successfully installed astro_moon-0.2 Parsing documentation for astro_moon-0.2 Installing ri documentation for astro_moon-0.2 Done installing documentation for astro_moon after 0 seconds 1 gem installed An application which uses it continues to work as expected. Checked interactive scripting: [lcl@vega ~]$ irb irb(main):001:0> abc = %w( a b c d e f g h i j k l m n o p q r s t u v w x y z ) => ["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z"] irb(main):002:0> s = "" => "" irb(main):003:0> abc.each { |zed| s += zed } => ["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z"] irb(main):004:0> puts s abcdefghijklmnopqrstuvwxyz => nil irb(main):005:0> quit Commandline documentation, summary for String class: [lcl@vega ~]$ ri String = String < Object ------------------------------------------------------------------------------ = Includes: Comparable (from ruby core) (from ruby core) ------------------------------------------------------------------------------ Rake extension methods for String. A String object holds and manipulates an arbitrary sequence of bytes, typically representing characters. String objects may be created using String::new or as literals. Because of aliasing issues, users of strings should be aware of the methods that modify the contents of a String object. Typically, methods with names ending in ``!'' modify their receiver, while those without a ``!'' return a new String. However, there are exceptions, such as String#[]=. ------------------------------------------------------------------------------ = Class methods: new, try_convert = Instance methods: %, *, +, <<, <=>, ==, ===, =~, [], []=, ascii_only?, b, block_scanf, bytes, bytesize, byteslice, capitalize, capitalize!, casecmp, center, chars, chomp, chomp!, chop, chop!, chr, clear, codepoints, concat, count, crypt, delete, delete!, downcase, downcase!, dump, each_byte, each_char, each_codepoint, each_line, empty?, encode, encode!, encoding, end_with?, eql?, ext, force_encoding, getbyte, gsub, gsub!, hash, hex, include?, index, initialize_copy, insert, inspect, intern, iseuc, isjis, issjis, isutf8, kconv, length, lines, ljust, lstrip, lstrip!, match, next, next!, oct, ord, partition, pathmap, pathmap_explode, pathmap_partial, pathmap_replace, prepend, replace, reverse, reverse!, rindex, rjust, rpartition, rstrip, rstrip!, scan, scanf, setbyte, shellescape, shellsplit, size, slice, slice!, split, squeeze, squeeze!, start_with?, strip, strip!, sub, sub!, succ, succ!, sum, swapcase, swapcase!, to_c, to_d, to_f, to_i, to_r, to_s, to_str, to_sym, toeuc, tojis, tolocale, tosjis, toutf16, toutf32, toutf8, tr, tr!, tr_s, tr_s!, unpack, upcase, upcase!, upto, valid_encoding? (END)
CC: (none) => tarazed25
More details of the security issue here if you're interested: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8080
Severity: normal => major
Ubuntu has issued an advisory for this on November 4: http://www.ubuntu.com/usn/usn-2397-1/ They also backported an upstream patch from ruby trunk (not sure if it was also in 2.1.x) to fix CVE-2014-4975. Considering that it was fixed in trunk in July and upstream didn't bother to backport it for these newer 1.9.3 and 2.0.0 releases, and Ubuntu's CVE notes say the issue is "not likely to be exposed," I've just committed the patch in SVN for now. For Mageia 3, it won't be included in the update unless I rebuild it now (let me know if anyone thinks I should). For Mageia 4 it'll be included in the next update in the future.
URL: (none) => http://lwn.net/Vulnerabilities/619214/
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10637#c7
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Tested on Mageia3-64 using procedure mentionned in comment 5 Before : ------- Current packages, installed : - lib64ruby1.9-1.9.3.p484-1.mga3.x86_64 - lib64tcl8.5-8.5.13-1.mga3.x86_64 - lib64tk8.5-8.5.13-2.mga3.x86_64 - lib64yaml0_2-0.1.6-1.mga3.x86_64 - ruby-1.9.3.p484-1.mga3.x86_64 - ruby-irb-1.9.3.p484-1.mga3.noarch - ruby-json-1.7.7-1.mga3.x86_64 - ruby-linecache19-0.5.13-5.1.mga3.x86_64 - ruby-rdoc-3.12.1-2.mga3.noarch - ruby-RubyGems-1.8.27-1.mga3.noarch - ruby-tk-1.9.3.p484-1.mga3.x86_64 - ruby-ruby-debug-base19-0.11.26-5.1.mga3.x86_64 - ruby-devel-1.9.3.p484-1.mga3.x86_64 - ruby-linecache19-0.5.13-5.1.mga3.x86_64 - tcl-8.5.13-1.mga3.x86_64 - tk-8.5.13-2.mga3.x86_64 Ran - ruby test - irb + tk test - irb + linecache test - debug19 test in this latter test for ruby-ruby-debug19, I had to make following changes : $ ruby -rdebug rubytest.rb (instead of $ rdebug rubytest.rb) and further on : (rdb:1) c (instead of : (rdb:1) continue) All tests passed. After : ----- Testing packages : - lib64ruby1.9-1.9.3.p550-1.mga3.x86_64 - ruby-1.9.3.p550-1.mga3.x86_64 - ruby-devel-1.9.3.p550-1.mga3.x86_64 - ruby-irb-1.9.3.p550-1.mga3.noarch - ruby-tk-1.9.3.p550-1.mga3.x86_64 Re-ran the same tests, all OK.
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-64-OK
Marking it OK for mga4 as well.
Whiteboard: MGA3TOO has_procedure MGA3-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK
Test in comment 5 tested fine on MGA4-32 - before and after the upgrade . Marking as such.
CC: (none) => shlomifWhiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK
(In reply to Shlomi Fish from comment #8) > Test in comment 5 tested fine on MGA4-32 - before and after the upgrade . > Marking as such. Working fine on MGA3-32bit (i586). Marking as such.
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK
Testing on mga4 32bit virtualbox. Packages installed from Core 32bit Updates Testing: ruby-2.0.0.p594-1.mga4 libruby2.0-2.0.0.p594-1.mga4 ruby-doc-2.0.0.p594-1.mga4 ruby-devel-2.0.0.p594-1.mga4 ruby-tk-2.0.0.p594-1.mga4 ruby-irb-2.0.0.p594-1.mga4 Core Release image support libraries for Tk: tkimg-1.4-2.mga4.i586 There is an unresolved bug in tkimg associated with PNG images. Note that MageiaUpdate does not select ruby-devel - install from the command line. In mga4 rubygems is now included in the ruby package, hence no need for ruby-Rubygems. Ran some general tests as before; no problems. A demonstration script for JPEG image handling in ruby-tk has been attached together with a specimen image.
Created attachment 5591 [details] Ruby-tk image display test Use the supplied JPEG image files if you wish.
Created attachment 5592 [details] Test image for rubyimage.rb
Created attachment 5593 [details] Test image 2 for rubyimage.rb
Good testing on this one guys. Don't forget to validate updates when they're ready. I'll upload the advisory and validate this one now.
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0443.html
Status: NEW => RESOLVEDResolution: (none) => FIXED