18988 – ruby-eventmachine new security issue fixed upstream in 1.0.7

Bug 18988 - ruby-eventmachine new security issue fixed upstream in 1.0.7

Summary: ruby-eventmachine new security issue fixed upstream in 1.0.7

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/694784/
Whiteboard:	MGA5-64-OK MGA5-32-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-07-19 16:32 CEST by David Walser
Modified:	2016-08-06 12:51 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	ruby-eventmachine-1.0.3-3.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-07-19 16:32:41 CEST

Debian-LTS has issued an advisory on July 15:
http://lwn.net/Alerts/694766/

They backported patches from 1.0.7.  The Debian bugs have more information:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678512
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696015

Comment 1 David Walser 2016-07-19 16:33:46 CEST

Looks like we only have this package still because of pcs/glusterfs.

CC: (none) => thomas

Comment 2 David Walser 2016-07-22 17:59:08 CEST

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated ruby-eventmachine packages fix security vulnerability:

EventMachine could be crashed by opening a high number of parallel connections
(>= 1024) towards a server using the EventMachine engine. The crash happens due
to the file descriptors overwriting the stack.

References:
http://lwn.net/Alerts/694766/
========================

Updated packages in core/updates_testing:
========================
ruby-eventmachine-1.0.3-3.1.mga5
ruby-eventmachine-doc-1.0.3-3.1.mga5

from ruby-eventmachine-1.0.3-3.1.mga5.src.rpm

Assignee: pterjan => qa-bugs

Comment 3 Len Lawrence 2016-08-04 23:18:59 CEST

Testing this on x86_64 using a ruby chat script found at http://eventmachine.rubyforge.org/file.GettingStarted.html

This uses the eventmachine with a chat server to echo messages when users login via telnet localhost 10000.  User input appears on the server terminal and on the separate client terminals.  Tried this before and after the update and it worked perfectly.  Limited the tests to two users.  Not going to attempt 1024+ connections for the PoC.

I would be glad of some direction on including external source code in the testing arsenal.  Is there a wiki entry about that anywhere?

CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK

Comment 4 Len Lawrence 2016-08-04 23:23:38 CEST

Should have added that there are web application frameworks out there which rely on ruby eventmachine, such as Thin and Goliath.

Comment 5 Len Lawrence 2016-08-05 12:10:02 CEST

Checked this over in a 32-bit vbox.
It worked fine before and after the update.  The eventmachine handled messages from host to vm, vm to vm and external machine to vm.  Messages echoed on all the consoles.

So, on the basis that the service continues to run properly after the update, this can be validated.

Len Lawrence 2016-08-05 12:10:34 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-08-05 15:05:08 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory

Comment 6 Mageia Robot 2016-08-06 12:51:45 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0276.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.