Upstream has issued an advisory on December 14: https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/ The issue was fixed in 2.2.9 and 2.4.3: https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-2-9-released/ https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-4-3-released/ Mageia 6 is also affected. Mageia 5 may be as well.
Whiteboard: (none) => MGA6TOO
Advisory: ======================== Updated ruby packages fix security vulnerabilities: Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution (CVE-2017-17405). The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character (CVE-2017-17790). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17405 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17790 https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/ ======================== Updated packages in core/updates_testing: ======================== ruby-2.0.0.p648-1.6.mga5 libruby2.0-2.0.0.p648-1.6.mga5 ruby-doc-2.0.0.p648-1.6.mga5 ruby-devel-2.0.0.p648-1.6.mga5 ruby-tk-2.0.0.p648-1.6.mga5 ruby-irb-2.0.0.p648-1.6.mga5 ruby-2.2.8-1.1.mga6 libruby2.2-2.2.8-1.1.mga6 ruby-doc-2.2.8-1.1.mga6 ruby-devel-2.2.8-1.1.mga6 ruby-tk-2.2.8-1.1.mga6 ruby-power_assert-0.2.2-1.1.mga6 ruby-irb-2.2.8-1.1.mga6 ruby-io-console-0.4.3-1.1.mga6 ruby-test-unit-3.0.8-1.1.mga6 from SRPMS: ruby-2.0.0.p648-1.6.mga5.src.rpm ruby-2.2.8-1.1.mga6.src.rpm
CC: (none) => pterjanVersion: Cauldron => 6Assignee: pterjan => qa-bugsWhiteboard: MGA6TOO => MGA5TOOSummary: ruby new security issue CVE-2017-17405 => ruby new security issues CVE-2017-17405 and CVE-2017-17790
MGA5-32 on Dell Latitude D600 No installation issues Ref to https://www.thegeekstuff.com/2009/10/ruby-hello-world-example-how-to-write-and-execute-ruby-program-on-unix-os/ for a simple example. $ ruby rubyexample.rb Hello World! Result as expected.
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OKCC: (none) => herman.viaene
Mageia 5 :: x86_64 Updated the packages. Used irb to execute calculator type commands and imported an executable script. $ irb irb(main):001:0> require Dir.home+"/ruby/scripts/testing" In 20 years £490.67 becomes £2031.65 at 7% interest. => true irb(main):002:0> exit Ran several local ruby-tk gui scripts successfully, most of them quite complex. One was a non-interactive desktop applet for downloading weather information and displaying an extract periodically. Continues to work. Installed a gem. $ sudo gem install eventmachine YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0). Fetching: eventmachine-1.2.5.gem (100%) Building native extensions. This could take a while... Successfully installed eventmachine-1.2.5 Parsing documentation for eventmachine-1.2.5 Installing ri documentation for eventmachine-1.2.5 Done installing documentation for eventmachine after 3 seconds 1 gem installed This update is OK.
CC: (none) => tarazed25
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA6-64-OK MGA6-32-OK
Apologies for the finger trouble - not quite awake yet.
Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK
Mageia 6 :: x86_64 Updated the packages - RubyGems already updated and tested. Simple script = testing.rb: #!/bin/env ruby # coding: utf-8 rate = 1.05 principal = 599.0 years = 15 ar = Proc.new { |rate| (100*rate - 100.0).floor } interest = rate 1.upto( years ) { |n| interest *= rate } value = sprintf( "%7.2f", (principal * interest) ) puts "In #{years} years £#{principal} becomes £#{value} at #{ar.call rate}% interest." $ irb irb(main):001:0> require Dir.home+"/ruby/scripts/testing" In 15 years £599.0 becomes £1307.54 at 5% interest. => true irb(main):002:0> exit Ran several local scripts which make extensive use of ruby-tk and gems like mplayer-ruby to generate interactive and passive guis and display images and run a movie jukebox and a label printer for instance. This is good to go.
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK
Rider to comment 5. The testing script was based on one which accepts arguments. Both run perfectly well from the commandline. The test here was to show that irb is functional. The code could just as well have been input via the irb prompt, line by line.
Great work, Len. Advisoried, validating 3/4 OKs.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0486.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED