Upstream has issued advisories on March 28: https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/ https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/ https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/ https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/ https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/ https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/ The issues are fixed upstream in 2.2.10 and 2.5.1: https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/ https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/ Note that 2.2.10 is the last 2.2.x release and it is no longer supported, and Mageia 6 should be upgraded to a newer branch (Bug 17463). Mageia 5 is likely affected by these issues as well.
Whiteboard: (none) => MGA6TOO
Fedora has issued an advisory for this today (April 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U7PH74637SGW2VEGQPEGZCFQACYZPORS/
Ubuntu has issued an advisory for some of these issues on April 16: https://usn.ubuntu.com/3626-1/
ruby-2.5.1-17.mga7 is in Cauldron now, so these should be fixed there.
Status comment: (none) => Fixed upstream in 2.2.10Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Upstream has issued advisories on October 17: https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/ https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/ The issues are fixed upstream in 2.3.8, 2.4.5, and 2.5.3.
Summary: ruby new security issues CVE-2017-17742, CVE-2018-6914, CVE-2018-877[7-9], CVE-2018-8780 => ruby new security issues CVE-2017-17742, CVE-2018-6914, CVE-2018-877[7-9], CVE-2018-8780, CVE-2018-1639[56]Status comment: Fixed upstream in 2.2.10 => (none)Version: 6 => CauldronSource RPM: ruby-2.5.0-16.mga7.src.rpm => ruby-2.5.1-19.mga7.src.rpmWhiteboard: (none) => MGA6TOO
I submitted ruby-2.5.3 to cauldron I also submitted a package for 6 with fixes for CVE-2018-16395 and CVE-2018-16396 mostly to verify it builds/tests pass, I'm working on updating it with the other fixes
2.2.10 + CVE-2018-16395 and CVE-2018-16396 submitted to 6/core/updates_testing
Pascal, please also see Bug 22696 for other remaining issues. Advisory: ======================== Updated ruby packages fix security vulnerabilities: Ruby before 2.2.10 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick (CVE-2017-17742). Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument (CVE-2018-6914). In Ruby before 2.2.10, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption) (CVE-2018-8777). In Ruby before 2.2.10, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure (CVE-2018-8778). In Ruby before 2.2.10, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket (CVE-2018-8779). In Ruby before 2.2.10, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed (CVE-2018-8780). Due to a bug in the equality check of OpenSSL::X509::Name, if a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal (CVE-2018-16395). In Array#pack and String#unpack with some formats, the tainted flags of the original data are not propagated to the returned string/array (CVE-2018-16396). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6914 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8779 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16395 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16396 https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/ https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/ https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/ https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/ https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/ https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/ https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/ https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/ https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/ ======================== Updated packages in core/updates_testing: ======================== ruby-2.2.10-16.1.mga6 libruby2.2-2.2.10-16.1.mga6 ruby-doc-2.2.10-16.1.mga6 ruby-devel-2.2.10-16.1.mga6 ruby-tk-2.2.10-16.1.mga6 ruby-power_assert-0.2.2-16.1.mga6 ruby-irb-2.2.10-16.1.mga6 ruby-io-console-0.4.3-16.1.mga6 ruby-test-unit-3.0.8-16.1.mga6 from ruby-2.2.10-16.1.mga6.src.rpm
Assignee: pterjan => qa-bugsCC: (none) => pterjanVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
Following this up tomorrow. $ ruby --version ruby 2.2.8p477 (2017-09-14 revision 59906) [x86_64-linux] It looks like many of the issues appeared in older versions of ruby and have probably been fixed for later versions. Be that as it may I have not been able to find any reproducers so on to the updates.
CC: (none) => tarazed25
Before update: Checked a CVE to see if the issue could be reproduced. CVE-2018-8778 https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/ Not overly familiar with pack and unpack options but tried this: $ irb irb(main):001:0> test = "abc\8\0__xyz 224" => "abc8\u0000__xyz 224" irb(main):002:0> b = test.unpack( 'A4Z4' ) => ["abc8", ""] irb(main):003:0> c = test.unpack( '@6A6' ) => ["_xyz 2"] irb(main):004:0> d = test.unpack( 'A2@8000' ) ArgumentError: @ outside of string from (irb):4:in `unpack' from (irb):4 from /bin/irb:11:in `<main>' Which would suggest that the issue has been addressed (but this may not be the correct way to test it). CVE-2018-8780 https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/ $ irb irb(main):001:0> target = "/home\0/lcl/ruby" => "/home\u0000/lcl/ruby" irb(main):002:0> files = Dir.entries( target ) => ["live", ".", "lcl", "zack", "share", "frodo", "suzy", "lost+found", "..", "junk"] irb(main):003:0> exit This vulnerability has not been fixed. Nor has this one, I think. CVE-2018-6914 https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/ irb(main):007:0> require "tempfile" => true irb(main):008:0> Dir.mktmpdir( "../data/" ) => "/tmp/../data/20181023-426-1vy8ag4" irb(main):009:0> Dir.chdir( "/data" ) => 0 irb(main):010:0> Dir.entries '.' => ["trimmers.tar", "qa.tar", "Sirius", "difda_qa.tar", "machines", "images", "isos", "ruby", "bin.tar", "eb.tar", "ss", "20181023-426-1vy8ag4", "video", [...] ".", "rubydata", "clone"] ============================================================================= Updated the packages. $ ruby --version ruby 2.2.10p489 (2018-03-28 revision 63023) [x86_64-linux] Checked the CVEs looked at earlier: CVE-2018-8778 $ irb irb(main):001:0> test = "abc\8\0__xyz 224" => "abc8\u0000__xyz 224" irb(main):002:0> b = test.unpack( 'A4Z4' ) => ["abc8", ""] irb(main):003:0> c = test.unpack( '@6A6' ) => ["_xyz 2"] irb(main):004:0> d = test.unpack( 'A2@8000' ) ArgumentError: @ outside of string from (irb):4:in `unpack' from (irb):4 from /bin/irb:11:in `<main>' As before. CVE-2018-8780 irb(main):005:0> target = "/home\0/lcl/ruby" => "/home\u0000/lcl/ruby" irb(main):006:0> files = Dir.entries( target ) ArgumentError: string contains null byte from (irb):6:in `open' from (irb):6:in `entries' from (irb):6 from /bin/irb:11:in `<main>' This is good. CVE-2018-6914 irb(main):007:0> require "tempfile" => true irb(main):008:0> Dir.mktmpdir( "../data/" ) => "/tmp/..data20181023-10374-cjrr2g" That is an acceptable result. Based on this small sample we can probably conclude that the fixes have taken. Tried out about a dozen of my home-made ruby scripts, all using a Tk gui and they worked fine. irb has already been tested. gem functions are working but a gtk2 installation failed - rake missing (ruby equivalent of make). $ gem list *** LOCAL GEMS *** astro_moon (0.2) json (1.8.3) power_assert (0.2.2) rdoc (4.2.1) test-unit (3.0.8) $ gem install rake Fetching: rake-12.3.1.gem (100%) Successfully installed rake-12.3.1 Parsing documentation for rake-12.3.1 Installing ri documentation for rake-12.3.1 Done installing documentation for rake after 0 seconds 1 gem installed rake still not found. $ sudo urpmi ruby-rake installing ruby-rake-10.4.2-10.mga6.noarch.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 1/1: ruby-rake ############################################# The full installation, stitched together: $ sudo gem install gtk2 Fetching: native-package-installer-1.0.6.gem (100%) Successfully installed native-package-installer-1.0.6 Fetching: pkg-config-1.3.1.gem (100%) Successfully installed pkg-config-1.3.1 Fetching: glib2-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed glib2-3.2.9 Fetching: gobject-introspection-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed gobject-introspection-3.2.9 Fetching: gio2-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed gio2-3.2.9 Fetching: gdk_pixbuf2-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed gdk_pixbuf2-3.2.9 Fetching: cairo-1.15.14.gem (100%) Building native extensions. This could take a while... Successfully installed cairo-1.15.14 Fetching: cairo-gobject-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed cairo-gobject-3.2.9 Fetching: pango-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed pango-3.2.9 Fetching: atk-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed atk-3.2.9 Fetching: gtk2-3.2.9.gem (100%) Building native extensions. This could take a while... Successfully installed gtk2-3.2.9 Parsing documentation for gdk_pixbuf2-3.2.9 Installing ri documentation for gdk_pixbuf2-3.2.9 Parsing documentation for cairo-1.15.14 Installing ri documentation for cairo-1.15.14 Parsing documentation for cairo-gobject-3.2.9 Installing ri documentation for cairo-gobject-3.2.9 Parsing documentation for pango-3.2.9 Installing ri documentation for pango-3.2.9 Parsing documentation for atk-3.2.9 Installing ri documentation for atk-3.2.9 Parsing documentation for gtk2-3.2.9 Installing ri documentation for gtk2-3.2.9 Done installing documentation for gdk_pixbuf2, cairo, cairo-gobject, pango, atk, gtk2 after 3 seconds 6 gems installed $ gem list *** LOCAL GEMS *** astro_moon (0.2) atk (3.2.9) cairo (1.15.14) cairo-gobject (3.2.9) gdk_pixbuf2 (3.2.9) gio2 (3.2.9) glib2 (3.2.9) gobject-introspection (3.2.9) gtk2 (3.2.9) json (1.8.3) native-package-installer (1.0.6) pango (3.2.9) pkg-config (1.3.1) power_assert (0.2.2) rake (12.3.1, 10.4.2) rdoc (4.2.1) test-unit (3.0.8) Remembering earlier remarks about bundling on another bug I removed the rake gem. $ sudo gem uninstall rake Remove executables: rake in addition to the gem? [Yn] n Executables and scripts will remain installed. Successfully uninstalled rake-10.4.2 It is possible that other gems just installed have bundled versions. Need to investigate. Anyway, I am satisfied that ruby is working OK.
Whiteboard: (none) => MGA6-64-OK
Re comment #8. Yep, ruby has gtk2, gdk_pixbuf2, cairo, pango, atk .... So the gems go out.
Re comment #9, first PoC - testing unpack. On another machine with the pre-update version of ruby $ ruby --version ruby 2.2.8p477 (2017-09-14 revision 59906) [x86_64-linux] used a large integer to try and force a negative offset and found that the vulnerability had already been addressed at the earlier version. $ irb irb(main):001:0> test = "abcd8\0__xyz 224" => "abcd8\u0000__xyz 224" irb(main):002:0> test.unpack( "A2@184467440798765432101" ) RangeError: pack length too big from (irb):2:in `unpack' from (irb):2 from /bin/irb:11:in `<main>' Tried several very large numbers and the result was always the same which reinforces the earlier conclusion.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0411.html
Status: NEW => RESOLVEDResolution: (none) => FIXED