ruby-RubyGems 2.6.13 has been released on August 27, fixing security issues: http://blog.rubygems.org/2017/08/27/2.6.13-released.html https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ http://www.openwall.com/lists/oss-security/2017/08/30/6 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
CVEs have been assigned for the issues fixed: http://www.openwall.com/lists/oss-security/2017/08/30/7
Summary: ruby-RubyGems new security issues fixed upstream in 2.6.13 => ruby-RubyGems new security issues fixed upstream in 2.6.13 (CVE-2017-0899 and CVE-2017-090[0-2])
CVE-2017-0903, fixed in 2.6.14: http://openwall.com/lists/oss-security/2017/10/10/2
Summary: ruby-RubyGems new security issues fixed upstream in 2.6.13 (CVE-2017-0899 and CVE-2017-090[0-2]) => ruby-RubyGems new security issues fixed upstream in 2.6.13 (CVE-2017-0899 and CVE-2017-090[0-3])
Summary: ruby-RubyGems new security issues fixed upstream in 2.6.13 (CVE-2017-0899 and CVE-2017-090[0-3]) => ruby-RubyGems new security issues fixed upstream in 2.6.14 (CVE-2017-0899 and CVE-2017-090[0-3])
Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-0898 aerodudrizzt reported a buffer underrun vulnerability in the sprintf method of the Kernel module resulting in heap memory corruption or information disclosure from the heap. CVE-2017-0903 Max Justicz reported that RubyGems is prone to an unsafe object deserialization vulnerability. When parsed by an application which processes gems, a specially crafted YAML formatted gem specification can lead to remote code execution. CVE-2017-10784 Yusuke Endoh discovered an escape sequence injection vulnerability in the Basic authentication of WEBrick. An attacker can take advantage of this flaw to inject malicious escape sequences to the WEBrick log and potentially execute control characters on the victim's terminal emulator when reading logs. CVE-2017-14033 asac reported a buffer underrun vulnerability in the OpenSSL extension. A remote attacker can take advantage of this flaw to cause the Ruby interpreter to crash leading to a denial of service.
CC: (none) => zombie_ryushu
Upstream links: http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html http://blog.rubygems.org/2017/10/09/2.6.14-released.html
Advisory: ======================== Updated ruby-RubyGems packages fix security vulnerabilities: An ANSI escape sequence vulnerability (CVE-2017-0899). A DoS vulnerability in the query command (CVE-2017-0900). A vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files (CVE-2017-0901). A DNS request hijacking vulnerability (CVE-2017-0902). An unsafe object deserialization vulnerability that allows an attacker to inject an instance of an object of their choosing in the target system. A clever attacker can inject an object that is able to interact with the system in such a way that will allow the attacker to execute arbitrary code (CVE-2017-0903). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903 https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html ======================== Updated packages in core/updates_testing: ======================== ruby-RubyGems-2.1.11-5.2.mga5 ruby-RubyGems-2.4.8-7.1.mga6 from SRPMS: ruby-RubyGems-2.1.11-5.2.mga5.src.rpm ruby-RubyGems-2.4.8-7.1.mga6.src.rpm
Assignee: pterjan => qa-bugsCC: (none) => pterjan
Testing this on Mageia 5: :: x86_64 There are easy POCs available which shall require a bit of time to prepare and document.
CC: (none) => tarazed25
The update was actually run on bug https://bugs.mageia.org/show_bug.cgi?id=22203 and was given an OK under that bug. That still stands. Installed another gem: $ sudo gem install ruby-json YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0). Fetching: ruby-json-1.1.2.gem (100%) Successfully installed ruby-json-1.1.2 Parsing documentation for ruby-json-1.1.2 Installing ri documentation for ruby-json-1.1.2 Done installing documentation for ruby-json after 0 seconds 1 gem installed $ gem list YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0). *** LOCAL GEMS *** astro_moon (0.2) eventmachine (1.2.5) glib2 (2.0.2) json (1.8.1) mplayer-ruby (0.2.0) native-package-installer (1.0.4) open4 (1.3.4) pkg-config (1.2.7, 1.1.5) rdoc (4.0.1) ruby-json (1.1.2) webrick (1.3.1) zip (2.0.2) $ gem server YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0). Server started at http://0.0.0.0:8808 localhost - - [31/Dec/2017:09:53:27 GMT] "GET / HTTP/1.1" 200 8258 - -> / localhost - - [31/Dec/2017:09:53:27 GMT] "GET /gem-server-rdoc-style.css HTTP/1.1" 200 4313 http://0.0.0.0:8808/ -> /gem-server-rdoc-style.css localhost - - [31/Dec/2017:09:53:27 GMT] "GET /favicon.ico HTTP/1.1" 404 279 - -> /favicon.ico localhost - - [31/Dec/2017:09:53:27 GMT] "GET /favicon.ico HTTP/1.1" 404 279 - -> /favicon.ico Opened a page in firefox at http://0.0.0.0:8808 which shows: RubyGems Documentation Index with an expanded summary of the local gems listed above. In view of comments on qa-discuss I shall not pursue the POCs examined earlier. Giving this an OK.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Mageia 6 :: x86_64 Updated RubyGems and ran a few tests. $ sudo gem install rack Fetching: rack-2.0.3.gem (100%) Successfully installed rack-2.0.3 Parsing documentation for rack-2.0.3 Installing ri documentation for rack-2.0.3 Done installing documentation for rack after 1 seconds 1 gem installed $ gem list *** LOCAL GEMS *** astro_moon (0.2) json (1.8.3) mplayer-ruby (0.2.0) open4 (1.3.4) rack (2.0.3) rdoc (4.2.1) $ gem -v 2.4.8 Built and installed a gem from a local gemspec. This is actually one of the POCs which successfully reproduced the vulnerability in a Mageia 5 test. $ gem build escape-sequence-injection-vulnerability.gemspec WARNING: no description specified WARNING: See http://guides.rubygems.org/specification-reference/ for help Successfully built RubyGem Name: escape-sequence-injection-vulnerability Version: 0.0.1 File: escape-sequence-injection-vulnerability-0.0.1.gem $ sudo gem install escape-sequence-injection-vulnerability-0.0.1.gem Successfully installed escape-sequence-injection-vulnerability-0.0.1 Parsing documentation for escape-sequence-injection-vulnerability-0.0.1 Installing ri documentation for escape-sequence-injection-vulnerability-0.0.1 Done installing documentation for escape-sequence-injection-vulnerability after 0 seconds 1 gem installed $ gem query escape-sequence-injection-vulnerability -d && sleep 10 *** LOCAL GEMS *** escape-sequence-injection-vulnerability (0.0.1) Author: Yusuke Endoh Homepage: http://example.com/ License: MIT Installed at: /usr/share/gems foo.[31mbar.[0mbaz .]2;BOOM!. This did not execute the escape sequence, which shows that the patch for CVE-2017-0899 has worked. $ gem server Pointed firefox at http://0.0.0.0:8808 to show the list of local gems. Good for 64 bits.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
Thank you Len for both release tests. Advisoried. Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0482.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED