A CVE has been assigned for a security issue fixed upstream in ruby-openssl: http://openwall.com/lists/oss-security/2016/10/01/2 ruby-openssl is bundled in the ruby package. The commit to fix the issue is linked in the message above. I took a quick look and it appears that the patch would need significant work to rediff for the version we have. I also noticed that ruby-net-ssh and jruby have an openssl.rb which may also contain the affected code.
Whiteboard: (none) => MGA5TOO
Status: NEW => ASSIGNED
ruby-2.0.0.p648-1.1.mga5 is available in updates_testing, I'll look at the rest and provide testing instructions.
Created attachment 8486 [details] updated test_cipher.rb verifying the fix Validation is done by running the new test_cipher.rb which I am attaching here for convenience. With the old ruby it reports 2 errors, while it passes with the new one. As it gets run during build, I am not sure there is more to verify.
ruby-net-ssh's openssl.rb loads the shared openssl.rb from ruby package. jruby's openssl.rb loads a java implementation (jopenssl.jar) which is unlikely to have a similar bug.
To verify the fix, run the attached test_cipher.rb (ruby test_cipher.rb). Without the fix you should get 2 failures, with the fix you should get all tests passing. Suggested advisory: ======================== Updated ruby packages fix a security vulnerability: A bug in openssl module caused using an all 0 IV for AES-GCM ciphers in some cases (when setting a key, an iv, and then setting a key a again (CVE-2016-7798). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7798 https://github.com/ruby/openssl/issues/49 ======================== Updated packages in core/updates_testing: ======================== lib(64)ruby2.0-2.0.0.p648-1.1.mga5 ruby-2.0.0.p648-1.1.mga5 ruby-devel-2.0.0.p648-1.1.mga5 ruby-doc-2.0.0.p648-1.1.mga5 ruby-irb-2.0.0.p648-1.1.mga5 ruby-tk-2.0.0.p648-1.1.mga5 Source RPMs: ruby-2.0.0.p648-1.1.mga5.src.rpm
Created attachment 8509 [details] self contained test_cipher.rb verifying the fix
Attachment 8486 is obsolete: 0 => 1
Assignee: pterjan => qa-bugs
test for mga5-64: test w/o the fix: 17 tests, 237 assertions, 2 failures, 0 errors, 0 pendings, 0 omissions, 0 notifications 88.2353% passed test w the fix: $ ruby test_cipher.rb Loaded suite test_cipher Started ............F =============================================================================== Failure: test_empty_data(OpenSSL::TestCipher) test_cipher.rb:824:in `test_empty_data' 821: 822: def test_empty_data 823: @c1.encrypt => 824: assert_raise(ArgumentError){ @c1.update("") } 825: end 826: 827: def test_initialize <ArgumentError> expected but was <OpenSSL::Cipher::CipherError(<key not set>)> diff: ? Argument Error ? Op SSL::Cipher::Cipher (<key not set>) =============================================================================== .... Finished in 0.038256731 seconds. 17 tests, 238 assertions, 1 failures, 0 errors, 0 pendings, 0 omissions, 0 notifications 94.1176% passed 444.37 tests/s, 6221.13 assertions/s
CC: (none) => mageia
test w/o the fix: $ ruby test_cipher.rb Loaded suite test_cipher Started ..F =============================================================================== Failure: test_aes_gcm_key_iv_order_issue(OpenSSL::TestCipher) test_cipher.rb:991:in `test_aes_gcm_key_iv_order_issue' 988: ct2 = cipher.update(pt) << cipher.final 989: tag2 = cipher.auth_tag 990: => 991: assert_equal ct1, ct2 992: assert_equal tag1, tag2 993: end if has_cipher?("aes-128-gcm") 994: end <"$\xF8\x17\xCC\xF6\x04\x15\x02^\xBCb\xC4Q*\x0E\xCF\x1E\xA1P\b\xD1\x9C\xF5\xD5\x8A%\xF2\x16I\x11\xC7\v\x9F\xCE\xC1\xA5$\x0F\"W3\xFC\xDA\xE0"> expected but was <"\xE0{\xD8\xB9\x90\xFB\fL\e\xE2\v\xA2\xDCd\xECkOA\x18l\xFE\xBF\x0Es \xC6\x960w\xF0\xB8H\xFD\x03.ELR\x9C\xE8\x9A\xEA\xF7\xD6"> diff: ? $���^�b�Q* ��� ��Õ%�I� ���$"W3��� ? �{ع�� L ��d�kOAâl�� s Æ0w��H�.ELR ����� =============================================================================== .............F =============================================================================== Failure: <OpenSSL::Cipher::CipherError> exception expected but none was thrown. test_update_raise_if_key_not_set(OpenSSL::TestCipher) test_cipher.rb:873:in `test_update_raise_if_key_not_set' 870: end 871: 872: def test_update_raise_if_key_not_set => 873: assert_raise(OpenSSL::Cipher::CipherError) do 874: # it caused OpenSSL SEGV by uninitialized key [Bug #2768] 875: OpenSSL::Cipher::AES128.new("ECB").update "." * 17 876: end =============================================================================== Finished in 0.05533721 seconds. 17 tests, 237 assertions, 2 failures, 0 errors, 0 pendings, 0 omissions, 0 notifications 88.2353% passed 307.21 tests/s, 4282.83 assertions/s
Version: Cauldron => 5
Whiteboard: MGA5TOO => MGA5TOO has_procedure
Confirmed the one failure after the update on x86_64.
CC: (none) => tarazed25
Sorry about that, this failure makes sense as it now detects there is no key before even noticing there is no data so it shows the fix is working and the test should be updated to set a key. I wonder why it did not happen during the build :(
CC: (none) => pterjan
Hmm it seems running "make check" runs much more tests (about 16 thousand more) than "make test" called in the package and finds a few more broken ones due to other patches (18 failures in total, mostly about gems)...
Assignee: qa-bugs => pterjan
Whiteboard: MGA5TOO has_procedure => has_procedure
Created attachment 8511 [details] updated self contained test_cipher.rb verifying the fix
Attachment 8509 is obsolete: 0 => 1
I updated the test, but now working on cauldron package to make sure we run all tests at build time and fix some of them.
with current ruby: $ ruby test_cipher.rb Loaded suite test_cipher Started ..F =============================================================================== Failure: test_aes_gcm_key_iv_order_issue(OpenSSL::TestCipher) test_cipher.rb:992:in `test_aes_gcm_key_iv_order_issue' 989: ct2 = cipher.update(pt) << cipher.final 990: tag2 = cipher.auth_tag 991: => 992: assert_equal ct1, ct2 993: assert_equal tag1, tag2 994: end if has_cipher?("aes-128-gcm") 995: end <"$\xF8\x17\xCC\xF6\x04\x15\x02^\xBCb\xC4Q*\x0E\xCF\x1E\xA1P\b\xD1\x9C\xF5\xD5\x8A%\xF2\x16I\x11\xC7\v\x9F\xCE\xC1\xA5$\x0F\"W3\xFC\xDA\xE0"> expected but was <"\xE0{\xD8\xB9\x90\xFB\fL\e\xE2\v\xA2\xDCd\xECkOA\x18l\xFE\xBF\x0Es \xC6\x960w\xF0\xB8H\xFD\x03.ELR\x9C\xE8\x9A\xEA\xF7\xD6"> diff: ? $���^�b�Q* ��� ��Õ%�I� ���$"W3��� ? �{ع�� L ��d�kOAâl�� s Æ0w��H�.ELR ����� =============================================================================== .............F =============================================================================== Failure: <OpenSSL::Cipher::CipherError> exception expected but none was thrown. test_update_raise_if_key_not_set(OpenSSL::TestCipher) test_cipher.rb:874:in `test_update_raise_if_key_not_set' 871: end 872: 873: def test_update_raise_if_key_not_set => 874: assert_raise(OpenSSL::Cipher::CipherError) do 875: # it caused OpenSSL SEGV by uninitialized key [Bug #2768] 876: OpenSSL::Cipher::AES128.new("ECB").update "." * 17 877: end =============================================================================== Finished in 0.039533178 seconds. 17 tests, 237 assertions, 2 failures, 0 errors, 0 pendings, 0 omissions, 0 notifications 88.2353% passed 430.02 tests/s, 5994.96 assertions/s with fixed ruby: $ ruby test_cipher.rb Loaded suite test_cipher Started ................. Finished in 0.034317457 seconds. 17 tests, 238 assertions, 0 failures, 0 errors, 0 pendings, 0 omissions, 0 notifications 100% passed 495.37 tests/s, 6935.25 assertions/s update ok for me on x86_64
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
Tested this on i586 in virtualbox. 2 failures before the update, none afterwards. $ ruby test_cipher.rb Loaded suite test_cipher Started ................. Finished in 0.017511517 seconds. ------ 17 tests, 238 assertions, 0 failures, 0 errors, 0 pendings, 0 omissions, 0 notifications 100% passed ------ 970.79 tests/s, 13591.06 assertions/s
Whiteboard: has_procedure MGA5-64-OK advisory => has_procedure MGA5-64-OK advisory MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0342.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/703466/