Upstream has issued an advisory today (November 13): https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/ This is fixed upstream in 1.9.3-p551 and 2.0.0-p598: https://www.ruby-lang.org/en/news/2014/11/13/ruby-1-9-3-p551-is-released/ https://www.ruby-lang.org/en/news/2014/11/13/ruby-2-0-0-p598-is-released/ Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Pascal has requested a freeze push for Cauldron. Updated packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated ruby packages fix security vulnerabilities: Will Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service (CVE-2014-4975). Due to an incomplete fix for CVE-2014-8080, 100% CPU utilization can occur as a result of recursive expansion with an empty String. When reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service (CVE-2014-8090). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090 https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/ https://www.ruby-lang.org/en/news/2014/11/13/ruby-1-9-3-p551-is-released/ https://www.ruby-lang.org/en/news/2014/11/13/ruby-2-0-0-p598-is-released/ http://www.ubuntu.com/usn/usn-2397-1/ ======================== Updated packages in core/updates_testing: ======================== ruby-1.9.3.p551-1.mga3 libruby1.9-1.9.3.p551-1.mga3 ruby-doc-1.9.3.p551-1.mga3 ruby-devel-1.9.3.p551-1.mga3 ruby-tk-1.9.3.p551-1.mga3 ruby-irb-1.9.3.p551-1.mga3 ruby-2.0.0.p598-1.mga4 libruby2.0-2.0.0.p598-1.mga4 ruby-doc-2.0.0.p598-1.mga4 ruby-devel-2.0.0.p598-1.mga4 ruby-tk-2.0.0.p598-1.mga4 ruby-irb-2.0.0.p598-1.mga4 from SRPMS: ruby-1.9.3.p551-1.mga3.src.rpm ruby-2.0.0.p598-1.mga4.src.rpm
CC: (none) => pterjanVersion: Cauldron => 4Assignee: pterjan => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10637#c7
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing on Mageia3-64 using procedure mentionned in comment 2. With current packages : --------------------- $ rpm -q ruby ruby-irb ruby-tk ruby-1.9.3.p550-1.mga3 ruby-irb-1.9.3.p550-1.mga3 ruby-tk-1.9.3.p550-1.mga3 Ran - ruby test - irb + tk test and for the sake of it : - irb + linecache test - debug19 test Updated to testing packages : --------------------------- - lib64ruby1.9-1.9.3.p551-1.mga3.x86_64 - ruby-1.9.3.p551-1.mga3.x86_64 - ruby-devel-1.9.3.p551-1.mga3.x86_64 - ruby-doc-1.9.3.p551-1.mga3.noarch - ruby-irb-1.9.3.p551-1.mga3.noarch - ruby-tk-1.9.3.p551-1.mga3.x86_64 Ran the same tests, everything OK.
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-64-OK
Testing Mageia4 x86_64 on real hardware Using ruby daily; running fine before updates. Installed these from Core Updates testing: ruby-2.0.0.p598-1.mga4 libruby2.0-2.0.0.p598-1.mga4 ruby-doc-2.0.0.p598-1.mga4 ruby-devel-2.0.0.p598-1.mga4 ruby-tk-2.0.0.p598-1.mga4 ruby-irb-2.0.0.p598-1.mga4 Ran the Hello World irb/ruby-tk test and totals class test referred to in comment 2 then my own rubyimage.rb script and $ sudo gem install astro_moon All worked fine.
CC: (none) => tarazed25
Whiteboard: MGA3TOO has_procedure MGA3-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK
Created attachment 5602 [details] Tk JPEG image display test Reference comment 4
Created attachment 5603 [details] Test file for rubyimage.rb
Testing Mageia4 i586 on virtualbox Installed the updates from Core 32bit Updates Testing and carried out a battery of similar tests to those used before. Passed.
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK
Ran the first two tests of Claire's from Comment 2, as those are the ones relevant to every ruby update. Both worked fine before and after the update. Tested Mageia 3 i586 and Mageia 4 i586.
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0472.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/622616/