SUSE has issued an advisory on April 3: https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00006.html The upstream commit that fixed the issue is linked from the SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1018808 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => pterjan
Ping Pascal. Any chance you can patch this one?
Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Fixed package available in cauldron and 5/update_testing
Created attachment 9467 [details] File triggering the bug
(In reply to Pascal Terjan from comment #3) > Fixed package available in cauldron and 5/update_testing Nope, the Cauldron update failed to build: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20170707180749.akien.duvel.45207/log/ruby-2.2.7-1.mga6/build.0.20170707180808.log We'll have to ship it as the first update for Mageia 6.
Hmm ruby-2.0.0.p648-1.3.mga5 is indeed available in 5/updates_testing but it seems the build in cauldron actually failed so it may end up needing an update too :(
Whiteboard: MGA5TOO => MGA5TOO, MGA6TOO
Packages list for Mageia 5 update: ruby-2.0.0.p648-1.3.mga5 libruby2.0-2.0.0.p648-1.3.mga5 ruby-doc-2.0.0.p648-1.3.mga5 ruby-devel-2.0.0.p648-1.3.mga5 ruby-tk-2.0.0.p648-1.3.mga5 ruby-irb-2.0.0.p648-1.3.mga5 from ruby-2.0.0.p648-1.3.mga5.src.rpm
This does not appear in madb but testing it anyway. x86_64 Mate real hardware Still trying to figure out how this works but here is what happens before the update. $ ruby fiddle_poc.rb Start args array size : 1 increase size of array New args array size is : 11 *** Error in `ruby': free(): invalid next size (fast): 0x0000000001afe490 *** ======= Backtrace: ========= /usr/lib64/libc.so.6(+0x7238e)[0x7fa61441838e] ..................... Abort Updated ruby packages from core updates testing. ran the PoC test again. $ ruby fiddle_poc.rb Start args array size : 1 fiddle_poc.rb:16:in `initialize': can't convert nil into Integer (TypeError) from fiddle_poc.rb:16:in `new' from fiddle_poc.rb:16:in `<main>' That looks better; no abort at least. ruby still working OK. Ran several of my home-grown scripts, some very complex and all using ruby-tk - no regressions. Started an irb session, tinkered with some simple commands and ran a couple of local scripts as shell commands. All OK. Good for x86_64.
CC: (none) => tarazed25
(In reply to Len Lawrence from comment #8) > This does not appear in madb but testing it anyway. Not assigned to QA yet because we have to wait until Mageia 6 branches to build its update for this, but feel free to test the Mageia 5 update in the meantime.
Ubuntu has issued an advisory for this on July 25: https://usn.ubuntu.com/usn/usn-3365-1/ It actually fixes several CVEs, including two others I don't think we've seen before: CVE-2015-9096 CVE-2016-2337 So we should include fixes for those as well.
Summary: ruby new security issue CVE-2016-2339 => ruby new security issues CVE-2015-9096, CVE-2016-2337, CVE-2016-2339
Uploaded ruby-2.0.0.p648-1.4.mga5 and ruby-2.2.7-1.mga6
Advisory: ======================== Updated ruby packages fix security vulnerabilities: It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequences. A remote attacker could possibly use this issue to inject SMTP commands. (CVE-2015-9096) Marcin Noga discovered that Ruby incorrectly handled certain arguments in a TclTkIp class method. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2337) It was discovered that Ruby Fiddle::Function.new incorrectly handled certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2339) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2339 https://usn.ubuntu.com/usn/usn-3365-1/ ======================== Updated packages in core/updates_testing: ======================== ruby-2.0.0.p648-1.4.mga5 libruby2.0-2.0.0.p648-1.4.mga5 ruby-doc-2.0.0.p648-1.4.mga5 ruby-devel-2.0.0.p648-1.4.mga5 ruby-tk-2.0.0.p648-1.4.mga5 ruby-irb-2.0.0.p648-1.4.mga5 ruby-2.2.7-1.mga6 libruby2.2-2.2.7-1.mga6 ruby-doc-2.2.7-1.mga6 ruby-devel-2.2.7-1.mga6 ruby-tk-2.2.7-1.mga6 ruby-power_assert-0.2.2-1.mga6 ruby-irb-2.2.7-1.mga6 ruby-io-console-0.4.3-1.mga6 ruby-test-unit-3.0.8-1.mga6 from SRPMS: ruby-2.0.0.p648-1.4.mga5.src.rpm ruby-2.2.7-1.mga6.src.rpm
Version: Cauldron => 6Assignee: pterjan => qa-bugsWhiteboard: MGA5TOO, MGA6TOO => MGA5TOOCC: (none) => pterjan
Testing on mga6, x86_64 PoCs were found for two of the CVEs: CVE-2016-2337 ------------------------------------------------------------------------- require 'tk' t = TclTkIp.new() t._cancel_eval(0x11223344) ------------------------------------------------------------------------- CVE-2016-2339 Ruby Fiddle::Function.new Heap Overflow Vulnerability Attached fiddle_poc.rb which we have seen before. ------------------------------------------------------------------------- CVE-2015-9096 Could not find a way to test SMTP command injection but could see that the patch to /usr/share/ruby/net/smtp.rb had been applied by the update. *** Before updates *** CVE-2016-2337 $ irb irb(main):001:0>require 'tk' => true irb(main):002:0> t = TclTkIp.new() => #<TclTkIp:0x000000014f3700 @force_default_encoding=[false], @encoding=[nil]> irb(main):003:0> t._cancel_eval(0x11223344) < stack dump > [NOTE] You may have encountered a bug in the Ruby interpreter or extension libraries. Bug reports are welcome. For details: http://www.ruby-lang.org/bugreport.html Aborted (core dumped) $ CVE-2016-2339 $ ruby fiddle_poc.rb Start args array size : 1 increase size of array New args array size is : 11 *** Error in `ruby': free(): invalid next size (fast): 0x00000000019bf6d0 *** < stack dump > Aborted (core dumped) ------------------------------------------------------------------------------ *** After updates *** CVE-2016-2337 $ irb irb(main):001:0> require 'tk' => true irb(main):002:0> t = TclTkIp.new() => #<TclTkIp:0x00000000e4d6d0 @force_default_encoding=[false], @encoding=[nil]> irb(main):003:0> t._cancel_eval(0x11223344) TypeError: no implicit conversion of Fixnum into String from (irb):3:in `_cancel_eval' from (irb):3 from /bin/irb:11:in `<main>' irb(main):004:0> quit $ CVE-2016-2339 $ ruby fiddle_poc.rb Start args array size : 1 fiddle_poc.rb:16:in `initialize': can't convert nil into Integer (TypeError) from fiddle_poc.rb:16:in `new' from fiddle_poc.rb:16:in `<main>' $ No more crash dumps. irb has already been exercized in the PoC testing. $ sudo gem install nokogiri Fetching: mini_portile2-2.2.0.gem (100%) Successfully installed mini_portile2-2.2.0 Fetching: nokogiri-1.8.0.gem (100%) Building native extensions. This could take a while... Successfully installed nokogiri-1.8.0 Parsing documentation for mini_portile2-2.2.0 Installing ri documentation for mini_portile2-2.2.0 Parsing documentation for nokogiri-1.8.0 Installing ri documentation for nokogiri-1.8.0 Done installing documentation for mini_portile2, nokogiri after 12 seconds 2 gems installed $ Ran several homegrown ruby scripts without any problems. These make extensive use of ruby-tk and various gems like mplayer-ruby and interact with the bash shell. One downloads and parses METAR data and displays it.
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
mga5 x86_64 Tried the PoC for CVE-2016-2337: $ irb irb(main):001:0> require 'tk' => true irb(main):002:0> t = TclTkIp.new() => #<TclTkIp:0x00000001904da8 @force_default_encoding=[false], @encoding=[nil]> irb(main):003:0> t._cancel_eval(0x11223344) NotImplementedError: cancel_eval is supported Tcl/Tk8.6 or later. So that is a no-no. In mga5 we have Tk8.5. $ wish % set tk_version 8.5 % $ rpm -qa | grep tk | egrep -v 'gtk|Gtk|key|atk|rtk' ruby-tk-2.0.0.p648-1.1.mga5 lib64gmtk1-1.0.9-3.mga5 tk-8.5.15-3.mga5 lib64tk8.5-8.5.15-3.mga5 gmtk-i18n-1.0.9-3.mga5 tkimg-1.4-5.mga5 $ ruby fiddle_poc.rb Start args array size : 1 increase size of array New args array size is : 11 *** Error in `ruby': free(): invalid next size (fast): 0x00000000014ba020 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x7238e)[0x7f5c390fc38e] < stack dump > Aborted After the updates: PoC for CVE-2016-2339: $ ruby fiddle_poc.rb Start args array size : 1 fiddle_poc.rb:16:in `initialize': can't convert nil into Integer (TypeError) from fiddle_poc.rb:16:in `new' from fiddle_poc.rb:16:in `<main>' $ Ran a few tests to check irb, installing gems, ruby-tk and various local ruby scripts. Everything worked fine.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
Advisory freom Comment 12. Validating; thanks Len for both release tests.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0290.html
Status: NEW => RESOLVEDResolution: (none) => FIXED