Debian has issued an advisory on September 5: https://www.debian.org/security/2017/dsa-3966 More details on the issue here: https://security-tracker.debian.org/tracker/CVE-2017-14064 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Fedora has issued an advisory for this on September 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UFJE2REXNRTPGIHSNPRSAWTVCLFMRJZT/
Fedora has issued an advisory today (October 2): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/65IMHHGWAQTSEIF7HZMQVPVRGFTO7YA3/ It lists three additional CVEs, which may affect us: CVE-2017-0898 CVE-2017-10784 CVE-2017-14033
For Mageia 6, we need to update to 2.2.8 which fixes them all For Mageia 5, I will look at backporting the fixes
Forgot the reference, https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/ Ruby 2.2.8 has been released. This release includes several security fixes. Please check the topics below for details. CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode CVE-2017-14064: Heap exposure vulnerability in generating JSON Multiple vulnerabilities in RubyGems Updated bundled libyaml to version 0.1.7
Summary: ruby new security issue CVE-2017-14064 => ruby new security issues CVE-2017-0898, CVE-2017-10784, CVE-2017-14033, CVE-2017-14064
Packages uploaded for Mageia 5: ruby-2.0.0.p648-1.5.mga5.src.rpm libruby2.0-2.0.0.p648-1.5.mga5.i586.rpm ruby-2.0.0.p648-1.5.mga5.i586.rpm ruby-devel-2.0.0.p648-1.5.mga5.i586.rpm ruby-tk-2.0.0.p648-1.5.mga5.i586.rpm lib64ruby2.0-2.0.0.p648-1.5.mga5.x86_64.rpm ruby-2.0.0.p648-1.5.mga5.x86_64.rpm ruby-devel-2.0.0.p648-1.5.mga5.x86_64.rpm ruby-tk-2.0.0.p648-1.5.mga5.x86_64.rpm ruby-doc-2.0.0.p648-1.5.mga5.noarch.rpm ruby-irb-2.0.0.p648-1.5.mga5.noarch.rpm And Mageia 6: ruby-2.2.8-1.mga6.src.rpm lib64ruby2.2-2.2.8-1.mga6.x86_64.rpm libruby2.2-2.2.8-1.mga6.armv5tl.rpm libruby2.2-2.2.8-1.mga6.armv7hl.rpm libruby2.2-2.2.8-1.mga6.i586.rpm ruby-2.2.8-1.mga6.armv5tl.rpm ruby-2.2.8-1.mga6.armv7hl.rpm ruby-2.2.8-1.mga6.i586.rpm ruby-2.2.8-1.mga6.x86_64.rpm ruby-devel-2.2.8-1.mga6.armv5tl.rpm ruby-devel-2.2.8-1.mga6.armv7hl.rpm ruby-devel-2.2.8-1.mga6.i586.rpm ruby-devel-2.2.8-1.mga6.x86_64.rpm ruby-doc-2.2.8-1.mga6.noarch.rpm ruby-irb-2.2.8-1.mga6.noarch.rpm ruby-tk-2.2.8-1.mga6.armv5tl.rpm ruby-tk-2.2.8-1.mga6.armv7hl.rpm ruby-tk-2.2.8-1.mga6.i586.rpm ruby-tk-2.2.8-1.mga6.x86_64.rpm
Advisory: ======================== Updated ruby packages fix security vulnerabilities: If a malicious format string which contains a precious specifier (*) is passed and a huge minus value is also passed to the specifier, buffer underrun may be caused. In such situation, the result may contains heap, or the Ruby interpreter may crash (CVE-2017-0898). If a malicious string is passed to the decode method of OpenSSL::ASN1, buffer underrun may be caused and the Ruby interpreter may crash (CVE-2017-14033). The generate method of JSON module optionally accepts an instance of JSON::Ext::Generator::State class. If a malicious instance is passed, the result may include contents of heap (CVE-2017-14064). When using the Basic authentication of WEBrick, clients can pass an arbitrary string as the user name. WEBrick outputs the passed user name intact to its log, then an attacker can inject malicious escape sequences to the log and dangerous control characters may be executed on a victim’s terminal emulator (CVE-2017-10784). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064 https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/ https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/ https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/ https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064/ https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UFJE2REXNRTPGIHSNPRSAWTVCLFMRJZT/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/65IMHHGWAQTSEIF7HZMQVPVRGFTO7YA3/
CC: (none) => pterjanAssignee: pterjan => qa-bugs
Investigating this on mga5 for x86_64 prior to updating. Browsing the links posted in the advisory, I came across a possible reproducer for the CVE-2017-14064 issue but could not verify it. The advisory does say "may include contents of heap". Code snippet attached, downloaded from https://hackerone.com/reports/209949. Procedure, assuming ruby has already been installed: $ sudo urpmi ruby-devel $ sudo gem install json $ ruby json1.rb All that appeared here was {"a":"b"} To be continued.
CC: (none) => tarazed25
Created attachment 9717 [details] Possible JSON heap exposure test This may or may not demonstrate the vulnerability reported on CVE-2017-14064.
The testcase is correct, but "sudo gem install json" means you are testing the latest (fixed) version of ruby-json that you downloaded and built. In order to test the package itself the procedure would be: sudo urpmi ruby-json ruby json1.rb (If you want to try that you will need to uninstall the manually installed gem first, I believe sudo gem uninstall json)
Created attachment 9718 [details] Test for CVE-2017-14033 Output on Mageia 5, showing the incorrects 2 == 4 and 1 == 4: $ ruby CVE-2017-14033.rb Expected exception 2 == 4 17 == 17 17 == 17 Expected exception 1 == 4 17 == 17 Output on cauldron showing the expected output with the fix: $ ruby CVE-2017-14033.rb Expected exception 2 == 2 17 == 17 17 == 17 Expected exception 1 == 1 17 == 17
Thanks Pascal. Trying this on mga6, pre-update. $ ruby json1.rb {"a":���P�6K�l:0A��(6(��(6(���<(��R8�+(�� 0=(��R8(R(���7(���:(6(���:(��hm:A�� � �@!�V����x�2x�2`�7`�7� �o:��1 I70w:�w:PI7 n:��1p�1�SE��1block in dependent_specs @m:a(6(��(6(��(R(���7(��Pw:(6(���:(���(6(�(6(��H-(���7(���w:(7(��(x:�7(���x:(6(���:(���1block (2 levels) in dependent_gems!����`t:0p:!!"b"} That is more like it. Going back to mga5.
In mga5, uninstalled gem json-2.1.0 and tried again. $ ruby json1.rb {"a":[;9� A����#R%�H���I ١��PC�mplicit-!usr/share/ruby/json.rb�-L. -Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1 -Wl,--build-id -Wl,--enable-new-dtags -fstack-protector -rdynamic -Wl,-export-dynamic;[;��`,�X&�;��;�;��;�;��;(+�;J�;`,�X&�;(+�;�;��;��;�;��;J�;���1/usr/lib64/ruby/enc/trans/transdb.so1 def new_ostruct_member(name) 01/usr/lib64/ruby/enc/trans/transdb18���� ���q;��q;��q; �q;��q;Ȧq;��q;��q;�`���q;��q;(a�Z�q;��q;^�q;�!@F��� a''O'-`1pi�PT�#�"b"}
Created attachment 9719 [details] PoC test for CVE-2017-14064 The test does work, before the update.
Repeating Pascal's test in mga6. $ ruby cve14033.rb Expected exception (1) 2 == 4 17 == 17 17 == 17 Expected exception (2) 1 == 4 17 == 17 So far so good.
mga6: CVE-2017-0898 The following snippet from https://github.com/mruby/mruby/issues/3722 is supposed to trigger a crash (abort) but upstream the ASAN output implies that a test harness was used, so we should not expect too much. ------------------------- #!/bin/env ruby def method_missing( * ) sprintf( "%c%s", 0, 0 ) 0[] end foo ------------------------ The general rule now is that we avoid testing ASAN based PoCs - but, just out of curiosity. $ ./foo.rb ./foo.rb:4:in `sprintf': stack level too deep (SystemStackError) from ./foo.rb:4:in `method_missing' from ./foo.rb:4:in `sprintf' from ./foo.rb:4:in `method_missing' from ./foo.rb:4:in `sprintf' from ./foo.rb:4:in `method_missing' from ./foo.rb:4:in `sprintf' from ./foo.rb:4:in `method_missing' from ./foo.rb:4:in `sprintf' ... 6656 levels... from ./foo.rb:4:in `method_missing' from ./foo.rb:4:in `sprintf' from ./foo.rb:4:in `method_missing' from ./foo.rb:8:in `<main>'
More PoC testing on mga6::x86_64 CVE-2017-0898 https://github.com/mruby/mruby/issues/3498 See attachments. $ ruby infoleak.rb | hexdump 0000000 0030 0000001 I don't know how the published dump is obtained - it may be from gdb. The upstream comments apply to 32-bit architectures. $ ruby underflow.rb 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 This is expected. ----------------------------------------------------------------------- Onto updates. - lib64ruby2.2-2.2.8-1.mga6.x86_64 - ruby-2.2.8-1.mga6.x86_64 - ruby-devel-2.2.8-1.mga6.x86_64 - ruby-doc-2.2.8-1.mga6.noarch - ruby-irb-2.2.8-1.mga6.noarch - ruby-tk-2.2.8-1.mga6.x86_64 Revisiting POCs. $ ./foo.rb This produces the same output as before the update. So, if the issue has been addressed should it have prevented the stack recursion? The json, infoleak and underflow tests also generated the same outputs as before. Only Pascal's test produced a good result. $ ruby cve14033.rb Expected exception 2 == 2 17 == 17 17 == 17 Expected exception 1 == 1 17 == 17
Created attachment 9721 [details] PoC file for CVE-2017-0898 This test is inconclusive. $ ruby infoleak.rb 0$ $ ruby infoleak.rb | hexdump 0000000 0030 0000001
Created attachment 9722 [details] Underflow test for CVE-1017-0898
You are correct some fixes are missing sorry, I had only tested the one I attached the test for :( ruby-json is not built from the ruby package on both Mageia 5 and Mageia 6 so I need to apply the fix there I'll check them all tonight
Status: NEW => ASSIGNED
Assignee: qa-bugs => pterjan
mga6::x86_64 Utility tests after the updates. Ran several simple homegrown ruby scripts, with an emphasis on tk, which cover image display, creating graph plots on canvas, editing canvas items, displaying and changing fonts, dumping canvas contents to a Postscript file. One is a gui version of Lewis's onecheck script. These probably do not stretch ruby's capabilities very far but they continue to work without problems. $ urpmq --whatrequires ruby | sort -u | grep -v ruby flvtool2 geoipgen haste-client hub puppet puppet-lint puppet-stdlib subversion-tools texlive Had a look at puppet. $ puppet master $ sudo systemctl start puppet $ systemctl status puppet ● puppet.service - Puppet agent Loaded: loaded (/usr/lib/systemd/system/puppet.service; enabled; vendor prese Active: failed (Result: exit-code) since Thu 2017-10-12 12:47:22 BST; 4s ago Process: 32049 ExecStart=/opt/puppetlabs/puppet/bin/puppet agent $PUPPET_EXTRA Main PID: 32049 (code=exited, status=203/EXEC) This is probably to be expected given that no infrastructure has been set up. Not about to get involved in all that. hub is a gem which provides a commandline utility for adding "GitHub knowledge to git". Means little to a humble QA tester. flvtool2 looks more amenable. Used to manipulate Flash Video files. However, I could not get it to work. geoipgen looks promising but it needs database files, some of which I found, and needs a config file which goes where? Continuing to look at the options.
Re comment 19. Thanks Pascal. Sorry to give you so much extra work. I can revert the updates by moving to another system.
Created attachment 9724 [details] Experimental utility for testing ruby Place this file wherever you wish, then from the same directory $ ruby servercheck.rb Click yes for the first query. A window opens with three panes and you will see an error message in red. Right-click on the password window and type in the QA password. This will be stored in the local file qaq. After that select a release from the left window and then an iso from the right. With any luck you should see a list of available files attached to the specific iso. I would be very interested to know if this works on any other system. If t does it is a reasonable test of basic ruby and ruby-tk.
Although my tests of local utilities show that ruby is working fine, no other tester has these files so I have prepared a fairly primitive script to do something reasonably useful - it is actually a wrapper for the onecheck bash script posted by Lewis.
Created attachment 9725 [details] Shortcuts for some Tk widgets in ruby. Place this in the same directory as servercheck.rb.
Created attachment 9726 [details] servercheck script for testing ruby
Attachment 9724 is obsolete: 0 => 1
Updated ruby-json also uploaded: ruby-json-1.8.1-3.1.mga5.src.rpm ruby-json-1.8.3-3.1.mga6.src.rpm Please verify they are fixing CVE-2017-14064
Assignee: pterjan => qa-bugs
Before the update: $ ruby json1.rb {"a":K�� �ap['version'] 0!� �K��A��Ts�L��@���0*`���-����-����-����x�-���?��-������-��p�-�����-��p�-��!q�?4Q Ablock (2 levels) in validate_dependencies� Q A��;R�Z!���`���@�������&���� ��`�������=�����Aƍ���V����"b"} Updated ruby-json. $ rpm -qa | grep ruby-json ruby-json-1.8.3-3.1.mga6 $ ruby json1.rb {"a":"b"} That's it fixed.
Whiteboard: MGA5TOO => MGA5TOO MGA6_64_OK
Whiteboard: MGA5TOO MGA6_64_OK => MGA5TOO MGA6-64-OK
Installed and tested using the PoC scripts. PoC output seems OK. $ uname -a Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | egrep ^ruby|^lib(64)?ruby | sort lib64ruby2.0-2.0.0.p648-1.5.mga5 ruby-2.0.0.p648-1.5.mga5 ruby-irb-2.0.0.p648-1.5.mga5 ruby-json-1.8.1-3.1.mga5 ruby-rdoc-4.0.1-9.mga5 ruby-RubyGems-2.1.11-5.1.mga5 ruby-tk-2.0.0.p648-1.5.mga5 $ wget https://bugs.mageia.org/attachment.cgi?id=9718 -q -O PoC_CVE-2017-14033.rb $ ruby PoC_CVE-2017-14033.rb Expected exception 2 == 2 17 == 17 17 == 17 Expected exception 1 == 1 17 == 17 $ wget https://bugs.mageia.org/attachment.cgi?id=9719 -q -O PoC_CVE-2017-14064.rb $ ruby PoC_CVE-2017-14064.rb {"a":"b"} $ wget https://bugs.mageia.org/attachment.cgi?id=9721 -q -O PoC_CVE-2017-0898.rb $ ruby PoC_CVE-2017-0898.rb 0 $ wget https://bugs.mageia.org/attachment.cgi?id=9722 -q -O PoC_CVE-2017-0898_2.rb $ ruby PoC_CVE-2017-0898_2.rb 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
CC: (none) => mageiaWhiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
Thanks PC-LX. Have you tried servercheck?
mga5::x86_64 Before updating ruby-json: $ ruby json1.rb {"a":m� A�\V֓un*pN����+ApNp*�: Ж+A�DcA�Dc@�d gem '#APT�Z��5����ory"@1Could not find a valid gem '1) locally or in a repositoryA@+`��+`�)�+�+A�N�N�|+05 +ЖA2���":]� {+�N�a� +��A�N�N {+@� +� +AJSON::CircularDatastructure: +�!ruby/enc/utf_16le.soA�L�]���y+�N�� + +A�N�N�y+� +1�� �S�0AaQ�xqԄ�x+�N�� +� +"b"} Updated all the ruby packages. Afterwards: $ ruby json1.rb {"a":"b"} $ ruby cve14033.rb Expected exception 2 == 2 17 == 17 17 == 17 Expected exception 1 == 1 17 == 17 $ ./foo.rb ./foo.rb:3: stack level too deep (SystemStackError) This is the same as before but the stack recursion messages have gone. The other two tests produced output identical to the before updates tests so cannot be relied on. CVE-2017-{14033,14064}, show that the issues have been fixed. There is a test for CVE-2017-10784 whose results I have been unable to interpret. See https://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/ But I also see a remark about it being fixed already so I am uncertain what use it would be. Local ruby scripts work fine. Downloaded the servercheck attachments and that script worked fine as well. It exercizes ruby-tk. OK for ga5 64 bits.
Advisory from comments 5, 6, 26, bug RPMs. Validating after Lens's marathon testing (+ PC_LX's verification) 64-bit both releases.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0371.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED