A security issue in ruby-RubyGems was announced earlier in June: http://openwall.com/lists/oss-security/2015/06/26/2 The upstream commits needed to fix this issue are linked from the reference in the trustwave advisories. The commits are: https://github.com/rubygems/rubygems/commit/329c7555fbe2e6d08dae57e61bb5e8171c579e4a https://github.com/rubygems/rubygems/commit/5c7bfb5c05202b4db971dd672d88a42298a0d84e My interpretation is that the first commit was an incomplete fix for CVE-2015-3900, which is why CVE-2015-4020 was assigned, and the second commit fixes that. The second CVE wouldn't affect us since we never committed the incomplete fix. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => fundawangWhiteboard: (none) => MGA5TOO, MGA4TOO
Fedora has issued an advisory for this on August 1: https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html
URL: (none) => http://lwn.net/Vulnerabilities/654153/
ruby-RubyGems should be updated to 2.2.5, syncing with these Fedora commits: http://pkgs.fedoraproject.org/cgit/rubygems.git/commit/?h=f21&id=6aa4b2f223987a0ea3fe06da1633058174ccf871 http://pkgs.fedoraproject.org/cgit/rubygems.git/commit/?h=f21&id=e83e17c1c3ad23f615c2226e937207f39da1afb4
Severity: normal => critical
Pascal was able to locate patches for this. He also added a part of the test suite that runs at build time and verifies that the CVE is fixed. Thanks Pascal! Advisory: ======================== Updated ruby-RubyGems package fixes security vulnerability: RubyGems does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack" (CVE-2015-3900). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3900 https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html ======================== Updated packages in core/updates_testing: ======================== ruby-RubyGems-2.1.11-3.1.mga4 ruby-RubyGems-2.1.11-5.1.mga5 from SRPMS: ruby-RubyGems-2.1.11-3.1.mga4.src.rpm ruby-RubyGems-2.1.11-5.1.mga5.src.rpm
CC: (none) => pterjanVersion: Cauldron => 5Assignee: pterjan => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Testing with x86_64 Mate 3.19.8-desktop-3.mga5. ruby-RubyGems-2.1.11-5 was already in use. Installed ruby-RubyGems-2.1.11-5.1.mga5 and tried installing a few random gems. e.g. [lcl@vega ~/test]$ sudo gem install mplay Fetching: helpema-0.1.0.gem (100%) Successfully installed helpema-0.1.0 Fetching: base_convert-2.0.0.gem (100%) Successfully installed base_convert-2.0.0 Fetching: mplay-2.4.0.gem (100%) Successfully installed mplay-2.4.0 Parsing documentation for base_convert-2.0.0 Installing ri documentation for base_convert-2.0.0 Parsing documentation for helpema-0.1.0 Installing ri documentation for helpema-0.1.0 Parsing documentation for mplay-2.4.0 Installing ri documentation for mplay-2.4.0 Done installing documentation for base_convert, helpema, mplay after 0 seconds 3 gems installed [lcl@vega ~/test]$ sudo gem list *** LOCAL GEMS *** astro_moon (0.2) base_convert (2.0.0) bindata (1.5.1) helpema (0.1.0) json (1.8.1) mp3info (0.8.5) mp4info2 (1.7.4) mplay (2.4.0) mplayer-ruby (0.2.0) mplayer.rb (0.0.2) open4 (1.3.4) parallel (1.6.1) rake (10.4.2) rdoc (4.0.1) ruby-mp3info (0.8.7) ruby-yui (0.0.7) rubyswig (0.0.1) Since it not obvious how to check the security issue is it sufficient just to ensure that the application runs OK?
CC: (none) => tarazed25
One of the links contained this command but it does not seem to be relevant to the test. [lcl@vega ~/test]$ dig _rubygems._tcp.rubygems.org SRV ; <<>> DiG 9.10.2-P3 <<>> _rubygems._tcp.rubygems.org SRV ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24395 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_rubygems._tcp.rubygems.org. IN SRV ;; ANSWER SECTION: _rubygems._tcp.rubygems.org. 600 IN SRV 0 1 80 api.rubygems.org. ;; Query time: 30 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Sat Sep 05 17:02:08 BST 2015 ;; MSG SIZE rcvd: 92
Testing in mga5 on i586 virtual box. [lcl@cursa ~]$ gem list *** LOCAL GEMS *** json (1.8.1) rdoc (4.0.1) Installed ruby-RubyGems-2.1.11-5.1.mga5.noarch. [lcl@cursa ~]$ sudo gem install mplayer-ruby Fetching: open4-1.3.4.gem (100%) Successfully installed open4-1.3.4 Fetching: mplayer-ruby-0.2.0.gem (100%) Successfully installed mplayer-ruby-0.2.0 Parsing documentation for mplayer-ruby-0.2.0 Installing ri documentation for mplayer-ruby-0.2.0 Parsing documentation for open4-1.3.4 Installing ri documentation for open4-1.3.4 Done installing documentation for mplayer-ruby, open4 after 0 seconds 2 gems installed [lcl@cursa ~]$ sudo gem install astro_moon Fetching: astro_moon-0.2.gem (100%) Successfully installed astro_moon-0.2 Parsing documentation for astro_moon-0.2 Installing ri documentation for astro_moon-0.2 Done installing documentation for astro_moon after 0 seconds 1 gem installed [lcl@cursa ~]$ gem list *** LOCAL GEMS *** astro_moon (0.2) json (1.8.1) mplayer-ruby (0.2.0) open4 (1.3.4) rdoc (4.0.1) Working fine for 32-bit as well.
In VirtualBox, M4, KDE, 32-bit Package(s) under test: ruby-RubyGems default install of ruby-RubyGems [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-3.mga4.noarch is already installed Package works install package from updates_testing For some reason neither the MCC nor urpmi ( urpmi ruby-rack ) sees the ruby-RubyGems-2.1.11-3.1.mga4 package in the updates_testing repo. Even though it's there.
CC: (none) => wilcal.int
correction: In VirtualBox, M4, KDE, 32-bit Package(s) under test: ruby-RubyGems default install of ruby-RubyGems [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-3.mga4.noarch is already installed Package works install package from updates_testing For some reason neither the MCC nor urpmi ( urpmi ruby-RubyGems ) sees the ruby-RubyGems-2.1.11-3.1.mga4 package in the updates_testing repo. Even though it's there.
That is odd Bill - it showed up here. Testing on 32-bit vbox with kernel 3.14.43-desktop-1.mga4 RubyGems already installed. Installed ruby-RubyGems-2.1.11-3.1.mga4.noarch [lcl@alcor ~]$ sudo gem install mplayer-ruby Fetching: open4-1.3.4.gem (100%) Successfully installed open4-1.3.4 Fetching: mplayer-ruby-0.2.0.gem (100%) Successfully installed mplayer-ruby-0.2.0 Parsing documentation for mplayer-ruby-0.2.0 Installing ri documentation for mplayer-ruby-0.2.0 Parsing documentation for open4-1.3.4 Installing ri documentation for open4-1.3.4 Done installing documentation for mplayer-ruby, open4 after 0 seconds 2 gems installed [lcl@alcor ~]$ gem list *** LOCAL GEMS *** astro_moon (0.2) json (1.7.7) mplayer-ruby (0.2.0) open4 (1.3.4) rdoc (4.0.1)
(In reply to Len Lawrence from comment #9) > That is odd Bill - it showed up here. Something funky with my local repo. Went to directly mirrors.kernel.org and that works fine.
In VirtualBox, M4, KDE, 32-bit Package(s) under test: ruby-RubyGems default install of ruby-RubyGems [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-3.mga4.noarch is already installed ruby-RubyGems installs cleanly install ruby-RubyGems from updates_testing [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-3.1.mga4.noarch is already installed ruby-RubyGems updates cleanly
Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: ruby-RubyGems default install of ruby-RubyGems [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-3.mga4.noarch is already installed ruby-RubyGems installs cleanly install ruby-RubyGems from updates_testing [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-3.1.mga4.noarch is already installed ruby-RubyGems updates cleanly
Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: ruby-RubyGems default install of ruby-RubyGems [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-5.mga5.noarch is already installed ruby-RubyGems installs cleanly install ruby-RubyGems from updates_testing [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-5.1.mga5.noarch is already installed ruby-RubyGems updates cleanly
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: ruby-RubyGems default install of ruby-RubyGems [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-5.mga5.noarch is already installed ruby-RubyGems installs cleanly install ruby-RubyGems from updates_testing [root@localhost wilcal]# urpmi ruby-RubyGems Package ruby-RubyGems-2.1.11-5.1.mga5.noarch is already installed ruby-RubyGems updates cleanly
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
This bug updates cleanly. Testing complete for MGA4 & MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0345.html
Status: NEW => RESOLVEDResolution: (none) => FIXED