Fedora has issued an advisory on March 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DL3WGQQLKJ73OT36WELFBEKK53MVADZ7/ The upstream advisories are here: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ http://blog.rubygems.org/2018/02/15/2.7.6-released.html The issues are fixed upstream in 2.7.6. Mageia 5 and Mageia 6 are also affected.
Severity: normal => majorWhiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 2.7.6
Ubuntu has issued an advisory for this today (April 5): https://usn.ubuntu.com/3621-1/
Packages submitted for Mageia 6 (ruby-RubyGems-2.4.8-7.2.mga7.src.rpm, ruby-RubyGems-2.4.8-7.2.mga7.noarch.rpm)
I adapted the patch for Mageia 5 but failed to create a build chroot :( starting installing packages created transaction for installing on /home/pterjan/chroot_5.x86_64.tmp._yoQSV (remove=0, install=0, upgrade=50) Installation failed: rpmlib(X-CheckUnifiedSystemdir) is needed by filesystem-2.1.9-25.mga5.x86_64
ruby-RubyGems-2.4.8-7.2.mga6 uploaded for Mageia 6. That rpmlib error dates from the UsrMove. Whatever is creating your chroot isn't doing it right. It doesn't appear that this has been fixed in Cauldron yet either.
Created attachment 10419 [details] Simple test script $ ruby weekday.rb 2018-10-22 $ ruby weekday.rb 2022 3 17 And so on.
CC: (none) => tarazed25
Created attachment 10420 [details] VLC TV channels playlist in XML format.
Created attachment 10421 [details] Ruby script for displaying XML tree data. $ chmod +x xmlviewer $ ./xmlviewer channels.xspf This is the only data the script has been tested against so it may well fail against others.
Mageia 6, x86_64 Ruby already installed. Updated because there are no reproducers posted. $ ruby --version ruby 2.2.10p489 (2018-03-28 revision 63023) [x86_64-linux] Ran a few tests to confirm that it is still working. $ gem list *** LOCAL GEMS *** activesupport (1.4.4) astro_moon (0.2) core_ex (0.6.6.3) highline (2.0.0) hitimes (1.3.0) json (1.8.3) mini_magick (4.8.0) mplayer-ruby (0.2.0) open4 (1.3.4) rdoc (4.2.1) ruby_ex (0.5.6.2) timers (4.1.2) $ sudo gem install webrick Fetching: webrick-1.4.2.gem (100%) ERROR: Error installing webrick: webrick requires Ruby version >= 2.3.0. $ sudo gem install rake Fetching: rake-12.3.1.gem (100%) Successfully installed rake-12.3.1 Parsing documentation for rake-12.3.1 Installing ri documentation for rake-12.3.1 Done installing documentation for rake after 0 seconds 1 gem installed Attached a basic script to return day of week for given date. Accuracy not guaranteed but it runs. Something simple for irb: $ irb irb(main):001:0> Pi = Math::PI => 3.141592653589793 irb(main):002:0> irb(main):003:0* def circle ( r ) irb(main):004:1> yield r irb(main):005:1> end => :circle irb(main):006:0> irb(main):007:0* circle( 4 ) { |r| puts "Volume = #{(4.0 * Pi * r**3 / 3.0)}" } Volume = 268.082573106329 => nil irb(main):008:0> circle( 5 ) { |r| puts "Area = #{(Pi * r * r)}" } Area = 78.53981633974483 => nil irb(main):009:0> exit Install a gem with several dependencies: $ sudo gem install gtk2 Fetching: native-package-installer-1.0.6.gem (100%) Successfully installed native-package-installer-1.0.6 Fetching: pkg-config-1.3.1.gem (100%) Successfully installed pkg-config-1.3.1 Fetching: glib2-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed glib2-3.2.9 Fetching: gobject-introspection-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed gobject-introspection-3.2.9 Fetching: gio2-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed gio2-3.2.9 Fetching: gdk_pixbuf2-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed gdk_pixbuf2-3.2.9 Fetching: cairo-1.15.14.gem (100%) Building native extensions. This could take a while... Successfully installed cairo-1.15.14 Fetching: cairo-gobject-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed cairo-gobject-3.2.9 Fetching: pango-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed pango-3.2.9 Fetching: atk-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed atk-3.2.9 Fetching: gtk2-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed gtk2-3.2.9 Parsing documentation for native-package-installer-1.0.6 Installing ri documentation for native-package-installer-1.0.6 Parsing documentation for pkg-config-1.3.1 Installing ri documentation for pkg-config-1.3.1 Parsing documentation for glib2-3.2.9 Installing ri documentation for glib2-3.2.9 Parsing documentation for gobject-introspection-3.2.9 Installing ri documentation for gobject-introspection-3.2.9 Parsing documentation for gio2-3.2.9 Installing ri documentation for gio2-3.2.9 Parsing documentation for gdk_pixbuf2-3.2.9 Installing ri documentation for gdk_pixbuf2-3.2.9 Parsing documentation for cairo-1.15.14 Installing ri documentation for cairo-1.15.14 Parsing documentation for cairo-gobject-3.2.9 Installing ri documentation for cairo-gobject-3.2.9 Parsing documentation for pango-3.2.9 Installing ri documentation for pango-3.2.9 Parsing documentation for atk-3.2.9 Installing ri documentation for atk-3.2.9 Parsing documentation for gtk2-3.2.9 Installing ri documentation for gtk2-3.2.9 Done installing documentation for native-package-installer, pkg-config, glib2, gobject-introspection, gio2, gdk_pixbuf2, cairo, cairo-gobject, pango, atk, gtk2 after 4 seconds 11 gems installed The attached xmlviewer file can be run against the attached TV channels playlist and generates a gui which can display the nested XML data. It works for me. This is a low-level shot at testing ruby and rubygems but should be sufficient for an OK. Haven't touched rdoc.
Whiteboard: MGA6TOO => MGA6-64-OK
No update has been built yet.
Whiteboard: MGA6-64-OK => (none)
Upstream has issued an advisory on March 5: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ http://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html The issues are fixed upstream in 2.7.6.2.
Summary: ruby-RubyGems new security issues CVE-2018-100007[3-9] => ruby-RubyGems new security issues CVE-2018-100007[3-9] and CVE-2019-832[0-5]Whiteboard: (none) => MGA6TOOStatus comment: Fixed upstream in 2.7.6 => Fixed upstream in 2.7.6.2
Debian has issued an advisory for this on April 16: https://www.debian.org/security/2019/dsa-4433
(In reply to David Walser from comment #11) > Debian has issued an advisory for this on April 16: > https://www.debian.org/security/2019/dsa-4433 Ubuntu has issued an advisory for this on April 11: https://usn.ubuntu.com/3945-1/
(In reply to David Walser from comment #9) > No update has been built yet. Packages had been uploaded in April last year, I guess they were deleted later https://ml.mageia.org/l/arc/changelog/2018-04/msg00305.html
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
I see r1217497 made it into Mageia 7, fixing the issues fixed in 2.7.6 (CVE-2018-1000007[3-9]), but the 2.7.6.2 fixes (CVE-2019-832[0-5]) haven't been addressed yet.
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
from : https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ The following vulnerabilities have been reported. CVE-2019-8320: Delete directory using symlink when decompressing tar CVE-2019-8321: Escape sequence injection vulnerability in verbose CVE-2019-8322: Escape sequence injection vulnerability in gem owner CVE-2019-8323: Escape sequence injection vulnerability in API response handling CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution CVE-2019-8325: Escape sequence injection vulnerability in errors as seen in https://security-tracker.debian.org/tracker/CVE-2019-8322. from: ruby-RubyGems-2.6.14-3.1.mga7
CC: (none) => mageiaAssignee: pterjan => qa-bugsWhiteboard: MGA7TOO => (none)Version: Cauldron => 7
For documentation purposes, rubygems 3.1.2 is bundled in the ruby SRPM in Cauldron. References should have both URLs (second one actually has more info): https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ http://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
Status comment: Fixed upstream in 2.7.6.2 => (none)
Whiteboard: (none) => MGA7-64-OK
Oops! How do we get rid of those email links?
Marked your comment private, but it will live on in the mailing list archives.
Thanks David. Must stop playing with live grenades :-/
Better version of comment 17. mga7, x86_64 Not sure what to do with this so straight to updates. A few simple tests after updating: $ gem list *** LOCAL GEMS *** apl (0.0.1) astro_moon (0.2) childprocess (1.0.1) concurrent-ruby (1.1.4) .... $ gem owner astro_moon Enter your RubyGems.org credentials. Don't have an account yet? Create one at https://rubygems.org/sign_up Email: <personal> Password: Signed in. Owners for gem: astro_moon - <number one> $ gem owner eventmachine Owners for gem: eventmachine - <10 email addresses> $ sudo gem install babelfish Fetching: hpricot-0.8.6.gem (100%) Building native extensions. This could take a while... Successfully installed hpricot-0.8.6 Fetching: trollop-1.16.2.gem (100%) Successfully installed trollop-1.16.2 Fetching: babelfish-0.0.1.gem (100%) Successfully installed babelfish-0.0.1 Parsing documentation for hpricot-0.8.6 Installing ri documentation for hpricot-0.8.6 Parsing documentation for trollop-1.16.2 Installing ri documentation for trollop-1.16.2 Parsing documentation for babelfish-0.0.1 Installing ri documentation for babelfish-0.0.1 Done installing documentation for hpricot, trollop, babelfish after 0 seconds 3 gems installed $ gem specification astro_moon | grep summary summary: A library for calculating the lunar phases and dates $ gem specification babelfish | grep summary summary: Ruby interface to Yahoo! BabelFish translation service. $ which babelfish /usr/local/bin/babelfish $ sudo gem uninstall babelfish Remove executables: babelfish in addition to the gem? [Yn] Removing babelfish Successfully uninstalled babelfish-0.0.1 $ gem list trollop *** LOCAL GEMS *** trollop (1.16.2) $ gem specification trollop | grep summary summary: Trollop is a commandline option parser for Ruby that just gets out of your (way) OK with these minimal tests.
Validating. Trying very hard to avoid an off-color comment about fooling around with trollops. Advisory information in Comment 15 and Comment 16, I think.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0243.html
Status: NEW => RESOLVEDResolution: (none) => FIXED