Fedora has issued an advisory on November 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OK6EYA4PVGIWEVEFBF2JSYUCEO7HG7FS/ The RedHat bug says the issue was in 2.8.0, but it's not clear if older versions are affected. If so, Mageia 6 is also affected. The issue is fixed in 2.8.2.
Status comment: (none) => Fixed upstream in 2.8.2
Updated in Cauldron by Pascal, currently at 2.10.0.
Version: Cauldron => 6
Reproducer: ruby -rox -e 'Ox.parse_obj("<k><s></s></k>")' Trying on a Mageia 6... the package is broken: $ ruby -rox -e 'Ox.parse_obj("<k><s></s></k>")' /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require': cannot load such file -- ox/ox (LoadError) from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require' from /usr/share/gems/gems/ox-2.3.0/lib/ox.rb:78:in `<top (required)>' from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:128:in `require' from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:128:in `rescue in require' from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:39:in `require' After fixing problems with the package, I can reproduce: ruby -rox -e 'Ox.parse_obj("<k><s></s></k>")' -e:1: [BUG] Segmentation fault at 0x00000000000008 ruby 2.2.10p489 (2018-03-28 revision 63023) [x86_64-linux] -- Control frame information ----------------------------------------------- c:0003 p:---- s:0008 e:000007 CFUNC :parse_obj c:0002 p:0013 s:0004 E:001b50 EVAL -e:1 [FINISH] c:0001 p:0000 s:0002 E:000bd0 TOP [FINISH] -- Ruby level backtrace information ---------------------------------------- -e:1:in `<main>' -e:1:in `parse_obj' -- Machine register context ------------------------------------------------ RIP: 0x00007f9629456178 RBP: 0x00007ffeafb24ff0 RSP: 0x00007ffeafb24910 RAX: 0x00007ffeafb25008 RBX: 0x00007ffeafb24ff0 RCX: 0x00007ffeafb24ff0 RDX: 0x00007ffeafb24ff0 RDI: 0x0000000000000000 RSI: 0x0000000000000000 R8: 0x0000000000000000 R9: 0x0000000000000064 R10: 0x0000000000000830 R11: 0x00000000006f0ec8 R12: 0x00007ffeafb25008 R13: 0x00000000009ee710 R14: 0x00007ffeafb252a6 R15: 0x00007ffeafb252a4 EFL: 0x0000000000010246 -- C level backtrace information ------------------------------------------- /lib64/libruby.so.2.2 [0x7f962b04eec5] /lib64/libruby.so.2.2 [0x7f962b04f0fc] /lib64/libruby.so.2.2 [0x7f962af2baeb] /lib64/libruby.so.2.2 [0x7f962afe25de] /lib64/libc.so.6 [0x7f962ab3e8a0] /usr/lib64/gems/ruby/ox-2.3.0/ox/ox.so [0x7f9629456178] /usr/lib64/gems/ruby/ox-2.3.0/ox/ox.so [0x7f9629445d09] /usr/lib64/gems/ruby/ox-2.3.0/ox/ox.so [0x7f96294467df] /usr/lib64/gems/ruby/ox-2.3.0/ox/ox.so(ox_parse+0x17c) [0x7f9629446e4c] /usr/lib64/gems/ruby/ox-2.3.0/ox/ox.so [0x7f962944d719] /lib64/libruby.so.2.2 [0x7f962b0386eb] /lib64/libruby.so.2.2 [0x7f962b04904e] /lib64/libruby.so.2.2 [0x7f962b03da6a] /lib64/libruby.so.2.2 [0x7f962b042c37] /lib64/libruby.so.2.2(rb_iseq_eval_main+0x7f) [0x7f962b043e3f] /lib64/libruby.so.2.2 [0x7f962af2ef5d] /lib64/libruby.so.2.2(ruby_exec_node+0x1d) [0x7f962af30a5d] /lib64/libruby.so.2.2(ruby_run_node+0x1e) [0x7f962af329ce] ruby [0x4008ab] /lib64/libc.so.6(__libc_start_main+0xf0) [0x7f962ab2b600] ruby [0x4008d9] -- Other runtime information ----------------------------------------------- * Loaded script: -e * Loaded features: 0 enumerator.so 1 rational.so 2 complex.so 3 /usr/lib64/ruby/enc/encdb.so 4 /usr/lib64/ruby/enc/trans/transdb.so 5 /usr/share/ruby/unicode_normalize.rb 6 /usr/lib64/ruby/rbconfig.rb 7 thread.rb 8 /usr/lib64/ruby/thread.so 9 /usr/share/rubygems/rubygems/compatibility.rb 10 /usr/share/rubygems/rubygems/defaults.rb 11 /usr/share/rubygems/rubygems/deprecate.rb 12 /usr/share/rubygems/rubygems/errors.rb 13 /usr/share/rubygems/rubygems/version.rb 14 /usr/share/rubygems/rubygems/requirement.rb 15 /usr/share/rubygems/rubygems/platform.rb 16 /usr/share/rubygems/rubygems/basic_specification.rb 17 /usr/share/rubygems/rubygems/stub_specification.rb 18 /usr/share/rubygems/rubygems/util/stringio.rb 19 /usr/share/rubygems/rubygems/specification.rb 20 /usr/share/rubygems/rubygems/exceptions.rb 21 /usr/share/rubygems/rubygems/defaults/operating_system.rb 22 /usr/share/rubygems/rubygems/core_ext/kernel_gem.rb 23 /usr/share/ruby/monitor.rb 24 /usr/share/rubygems/rubygems/core_ext/kernel_require.rb 25 /usr/share/rubygems/rubygems.rb 26 /usr/share/rubygems/rubygems/path_support.rb 27 /usr/share/rubygems/rubygems/dependency.rb 28 /usr/share/gems/gems/ox-2.3.0/lib/ox/version.rb 29 /usr/share/gems/gems/ox-2.3.0/lib/ox/error.rb 30 /usr/share/gems/gems/ox-2.3.0/lib/ox/hasattrs.rb 31 /usr/share/gems/gems/ox-2.3.0/lib/ox/node.rb 32 /usr/share/gems/gems/ox-2.3.0/lib/ox/comment.rb 33 /usr/share/gems/gems/ox-2.3.0/lib/ox/raw.rb 34 /usr/share/gems/gems/ox-2.3.0/lib/ox/instruct.rb 35 /usr/share/gems/gems/ox-2.3.0/lib/ox/cdata.rb 36 /usr/share/gems/gems/ox-2.3.0/lib/ox/doctype.rb 37 /usr/share/gems/gems/ox-2.3.0/lib/ox/element.rb 38 /usr/share/gems/gems/ox-2.3.0/lib/ox/document.rb 39 /usr/share/gems/gems/ox-2.3.0/lib/ox/bag.rb 40 /usr/share/gems/gems/ox-2.3.0/lib/ox/sax.rb 41 /usr/lib64/gems/ruby/bigdecimal-1.2.7/bigdecimal.so 42 /usr/lib64/ruby/date_core.so 43 /usr/share/ruby/date.rb 44 /usr/share/ruby/time.rb 45 /usr/lib64/ruby/stringio.so 46 /usr/lib64/gems/ruby/ox-2.3.0/ox/ox.so 47 /usr/share/gems/gems/ox-2.3.0/lib/ox.rb [NOTE] You may have encountered a bug in the Ruby interpreter or extension libraries. Bug reports are welcome. For details: http://www.ruby-lang.org/bugreport.html Aborted (core dumped)
Given that the package was totally broken, it is safe to update it to the new version $ ruby -rox -e 'Ox.parse_obj("<k><s></s></k>")' -e:1:in `parse_obj': Corrupt parse stack, container is wrong type at line 1, column 11 [obj_load.c:780] (Ox::ParseError) from -e:1:in `<main>'
ruby-ox-2.8.2-1.mga6 submitted to 6/core/updates_testing I guess it should not be a security update as the package was not vulnerable given that the module could not be loaded.
(In reply to Pascal Terjan from comment #4) > I guess it should not be a security update as the package was not vulnerable > given that the module could not be loaded. I supposed that depends on what "fixing problems with the package" entails. I don't suppose it really matters, as probably nobody is using it.
Advisory: ======================== Updated ruby-ox packages fix security vulnerability: In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation fault when a crafted input is supplied to parse_obj (CVE-2017-15928). Also, the package was broken and has been fixed to function properly. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15928 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OK6EYA4PVGIWEVEFBF2JSYUCEO7HG7FS/ ======================== Updated packages in core/updates_testing: ======================== ruby-ox-2.8.2-1.mga6 ruby-ox-doc-2.8.2-1.mga6 from ruby-ox-2.8.2-1.mga6.src.rpm
Assignee: pterjan => qa-bugsCC: (none) => pterjan
mga6, x86_64 After installing ruby-bigdecimal $ ruby -rox -e 'Ox.parse_obj("<k><s></s></k>")' /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require': cannot load such file -- ox/ox (LoadError) from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require' from /usr/share/gems/gems/ox-2.3.0/lib/ox.rb:78:in `<top (required)>' from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:128:in `require' from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:128:in `rescue in require' from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:39:in `require' After updating the two files: $ ruby -rox -e 'Ox.parse_obj("<k><s></s></k>")' -e:1:in `parse_obj': Corrupt parse stack, container is wrong type at line 1, column 11 [obj_load.c:780] (Ox::ParseError) from -e:1:in `<main>' Examples of use at https://www.rubydoc.info/gems/ox/2.4.2/Ox $ cat generic.rb require 'ox' doc = Ox::Document.new(:version => '1.0') top = Ox::Element.new('top') top[:name] = 'sample' doc << top mid = Ox::Element.new('middle') mid[:name] = 'second' top << mid bot = Ox::Element.new('bottom') bot[:name] = 'third' mid << bot xml = Ox.dump(doc) puts xml doc2 = Ox.parse(xml) puts "Same? #{doc == doc2}" $ ruby generic.rb <top name="sample"> <middle name="second"> <bottom name="third"/> </middle> </top> Same? false ----------------------------------------------------------- $ cat sample.rb require 'ox' class Sample attr_accessor :a, :b, :c def initialize(a, b, c) @a = a @b = b @c = c end end # Create Object obj = Sample.new(1, "bee", ['x', :y, 7.0]) # Now dump the Object to an XML String. xml = Ox.dump(obj) puts xml # Convert the object back into a Sample Object. obj2 = Ox.parse_obj(xml) $ ruby sample.rb <o c="Sample"> <i a="@a">1</i> <s a="@b">bee</s> <a a="@c"> <s>x</s> <m>y</m> <f>7</f> </a> </o> Looks like it is working.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
Note that the "packaging faults" must have affected the before test because it did not segfault. ruby-bigdecimal had to be installed for a start. Could not find enumerable.so but most of the features mentioned in comment 2 seemed to be there.
I guess the advisory needs to be pushed. Validating this.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0123.html
Status: NEW => RESOLVEDResolution: (none) => FIXED