Bug 22844 - ruby new security issues CVE-2017-17742, CVE-2018-6914, CVE-2018-877[7-9], CVE-2018-8780, CVE-2018-1639[56]
Summary: ruby new security issues CVE-2017-17742, CVE-2018-6914, CVE-2018-877[7-9], CV...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-31 17:54 CEST by David Walser
Modified: 2018-10-26 20:48 CEST (History)
4 users (show)

See Also:
Source RPM: ruby-2.5.1-19.mga7.src.rpm
CVE:
Status comment:


Attachments

David Walser 2018-03-31 17:54:11 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-04-16 00:38:45 CEST
Fedora has issued an advisory for this today (April 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U7PH74637SGW2VEGQPEGZCFQACYZPORS/
Comment 2 David Walser 2018-04-21 23:08:20 CEST
Ubuntu has issued an advisory for some of these issues on April 16:
https://usn.ubuntu.com/3626-1/
Comment 3 David Walser 2018-05-04 08:35:05 CEST
ruby-2.5.1-17.mga7 is in Cauldron now, so these should be fixed there.

Status comment: (none) => Fixed upstream in 2.2.10
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 4 David Walser 2018-10-21 22:55:22 CEST
Upstream has issued advisories on October 17:
https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/

The issues are fixed upstream in 2.3.8, 2.4.5, and 2.5.3.

Summary: ruby new security issues CVE-2017-17742, CVE-2018-6914, CVE-2018-877[7-9], CVE-2018-8780 => ruby new security issues CVE-2017-17742, CVE-2018-6914, CVE-2018-877[7-9], CVE-2018-8780, CVE-2018-1639[56]
Status comment: Fixed upstream in 2.2.10 => (none)
Version: 6 => Cauldron
Source RPM: ruby-2.5.0-16.mga7.src.rpm => ruby-2.5.1-19.mga7.src.rpm
Whiteboard: (none) => MGA6TOO

Comment 5 Pascal Terjan 2018-10-21 23:33:54 CEST
I submitted ruby-2.5.3 to cauldron

I also submitted a package for 6 with fixes for CVE-2018-16395 and CVE-2018-16396 mostly to verify it builds/tests pass, I'm working on updating it with the other fixes
Comment 6 Pascal Terjan 2018-10-21 23:48:14 CEST
2.2.10 + CVE-2018-16395 and CVE-2018-16396 submitted to 6/core/updates_testing
Comment 7 David Walser 2018-10-22 16:42:16 CEST
Pascal, please also see Bug 22696 for other remaining issues.

Advisory:
========================

Updated ruby packages fix security vulnerabilities:

Ruby before 2.2.10 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick (CVE-2017-17742).

Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument (CVE-2018-6914).

In Ruby before 2.2.10, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption) (CVE-2018-8777).

In Ruby before 2.2.10, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure (CVE-2018-8778).

In Ruby before 2.2.10, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket (CVE-2018-8779).

In Ruby before 2.2.10, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed (CVE-2018-8780).

Due to a bug in the equality check of OpenSSL::X509::Name, if a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal (CVE-2018-16395).

In Array#pack and String#unpack with some formats, the tainted flags of the original data are not propagated to the returned string/array (CVE-2018-16396).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6914
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8779
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16395
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16396
https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/
https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/
========================

Updated packages in core/updates_testing:
========================
ruby-2.2.10-16.1.mga6
libruby2.2-2.2.10-16.1.mga6
ruby-doc-2.2.10-16.1.mga6
ruby-devel-2.2.10-16.1.mga6
ruby-tk-2.2.10-16.1.mga6
ruby-power_assert-0.2.2-16.1.mga6
ruby-irb-2.2.10-16.1.mga6
ruby-io-console-0.4.3-16.1.mga6
ruby-test-unit-3.0.8-16.1.mga6

from ruby-2.2.10-16.1.mga6.src.rpm

Assignee: pterjan => qa-bugs
CC: (none) => pterjan
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 8 Len Lawrence 2018-10-23 01:50:59 CEST
Following this up tomorrow.

$ ruby --version
ruby 2.2.8p477 (2017-09-14 revision 59906) [x86_64-linux]

It looks like many of the issues appeared in older versions of ruby and have probably been fixed for later versions.  Be that as it may I have not been able to find any reproducers so on to the updates.

CC: (none) => tarazed25

Comment 9 Len Lawrence 2018-10-23 18:49:57 CEST
Before update:

Checked a CVE to see if the issue could be reproduced.
CVE-2018-8778
https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/

Not overly familiar with pack and unpack options but tried this:
$ irb
irb(main):001:0> test = "abc\8\0__xyz 224"
=> "abc8\u0000__xyz 224"
irb(main):002:0> b = test.unpack( 'A4Z4' )
=> ["abc8", ""]
irb(main):003:0> c = test.unpack( '@6A6' )
=> ["_xyz 2"]
irb(main):004:0> d = test.unpack( 'A2@8000' )
ArgumentError: @ outside of string
	from (irb):4:in `unpack'
	from (irb):4
	from /bin/irb:11:in `<main>'

Which would suggest that the issue has been addressed (but this may not be the correct way to test it).

CVE-2018-8780
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
$ irb
irb(main):001:0> target = "/home\0/lcl/ruby"
=> "/home\u0000/lcl/ruby"
irb(main):002:0> files = Dir.entries( target )
=> ["live", ".", "lcl", "zack", "share", "frodo", "suzy", "lost+found", "..", "junk"]
irb(main):003:0> exit

This vulnerability has not been fixed.

Nor has this one, I think.
CVE-2018-6914
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/

irb(main):007:0> require "tempfile"
=> true
irb(main):008:0> Dir.mktmpdir( "../data/" )
=> "/tmp/../data/20181023-426-1vy8ag4"
irb(main):009:0> Dir.chdir( "/data" )
=> 0
irb(main):010:0> Dir.entries '.'
=> ["trimmers.tar", "qa.tar", "Sirius", "difda_qa.tar", "machines", "images", "isos", "ruby", "bin.tar", "eb.tar", "ss", "20181023-426-1vy8ag4", "video",  [...] ".", "rubydata", "clone"]

=============================================================================

Updated the packages.

$ ruby --version
ruby 2.2.10p489 (2018-03-28 revision 63023) [x86_64-linux]

Checked the CVEs looked at earlier:

CVE-2018-8778
$ irb
irb(main):001:0> test = "abc\8\0__xyz 224"
=> "abc8\u0000__xyz 224"
irb(main):002:0>  b = test.unpack( 'A4Z4' )
=> ["abc8", ""]
irb(main):003:0> c = test.unpack( '@6A6' )
=> ["_xyz 2"]
irb(main):004:0> d = test.unpack( 'A2@8000' )
ArgumentError: @ outside of string
	from (irb):4:in `unpack'
	from (irb):4
	from /bin/irb:11:in `<main>'

As before.

CVE-2018-8780
irb(main):005:0> target = "/home\0/lcl/ruby"
=> "/home\u0000/lcl/ruby"
irb(main):006:0> files = Dir.entries( target )
ArgumentError: string contains null byte
	from (irb):6:in `open'
	from (irb):6:in `entries'
	from (irb):6
	from /bin/irb:11:in `<main>'

This is good.

CVE-2018-6914
irb(main):007:0> require "tempfile"
=> true
irb(main):008:0> Dir.mktmpdir( "../data/" )
=> "/tmp/..data20181023-10374-cjrr2g"

That is an acceptable result.

Based on this small sample we can probably conclude that the fixes have taken.

Tried out about a dozen of my home-made ruby scripts, all using a Tk gui and they worked fine.  irb has already been tested.  gem functions are working but a gtk2 installation failed - rake missing (ruby equivalent of make).


$ gem list

*** LOCAL GEMS ***

astro_moon (0.2)
json (1.8.3)
power_assert (0.2.2)
rdoc (4.2.1)
test-unit (3.0.8)

$ gem install rake
Fetching: rake-12.3.1.gem (100%)
Successfully installed rake-12.3.1
Parsing documentation for rake-12.3.1
Installing ri documentation for rake-12.3.1
Done installing documentation for rake after 0 seconds
1 gem installed

rake still not found.

$ sudo urpmi ruby-rake
installing ruby-rake-10.4.2-10.mga6.noarch.rpm from /var/cache/urpmi/rpms      
Preparing...                     #############################################
      1/1: ruby-rake             #############################################

The full installation, stitched together:

$ sudo gem install gtk2
Fetching: native-package-installer-1.0.6.gem (100%)
Successfully installed native-package-installer-1.0.6
Fetching: pkg-config-1.3.1.gem (100%)
Successfully installed pkg-config-1.3.1
Fetching: glib2-3.2.9.gem (100%)
Building native extensions.  This could take a while...
Successfully installed glib2-3.2.9
Fetching: gobject-introspection-3.2.9.gem (100%)
Building native extensions.  This could take a while...
Successfully installed gobject-introspection-3.2.9
Fetching: gio2-3.2.9.gem (100%)
Building native extensions.  This could take a while...
Successfully installed gio2-3.2.9
Fetching: gdk_pixbuf2-3.2.9.gem (100%)
Building native extensions.  This could take a while...
Successfully installed gdk_pixbuf2-3.2.9
Fetching: cairo-1.15.14.gem (100%)
Building native extensions.  This could take a while...
Successfully installed cairo-1.15.14
Fetching: cairo-gobject-3.2.9.gem (100%)
Building native extensions.  This could take a while...
Successfully installed cairo-gobject-3.2.9
Fetching: pango-3.2.9.gem (100%)
Building native extensions.  This could take a while...
Successfully installed pango-3.2.9
Fetching: atk-3.2.9.gem (100%)
Building native extensions.  This could take a while...
Successfully installed atk-3.2.9
Fetching: gtk2-3.2.9.gem (100%)
Building native extensions.  This could take a while...
Successfully installed gtk2-3.2.9
Parsing documentation for gdk_pixbuf2-3.2.9
Installing ri documentation for gdk_pixbuf2-3.2.9
Parsing documentation for cairo-1.15.14
Installing ri documentation for cairo-1.15.14
Parsing documentation for cairo-gobject-3.2.9
Installing ri documentation for cairo-gobject-3.2.9
Parsing documentation for pango-3.2.9
Installing ri documentation for pango-3.2.9
Parsing documentation for atk-3.2.9
Installing ri documentation for atk-3.2.9
Parsing documentation for gtk2-3.2.9
Installing ri documentation for gtk2-3.2.9
Done installing documentation for gdk_pixbuf2, cairo, cairo-gobject, pango, atk, gtk2 after 3 seconds
6 gems installed

$ gem list

*** LOCAL GEMS ***

astro_moon (0.2)
atk (3.2.9)
cairo (1.15.14)
cairo-gobject (3.2.9)
gdk_pixbuf2 (3.2.9)
gio2 (3.2.9)
glib2 (3.2.9)
gobject-introspection (3.2.9)
gtk2 (3.2.9)
json (1.8.3)
native-package-installer (1.0.6)
pango (3.2.9)
pkg-config (1.3.1)
power_assert (0.2.2)
rake (12.3.1, 10.4.2)
rdoc (4.2.1)
test-unit (3.0.8)

Remembering earlier remarks about bundling on another bug I removed the rake gem.
$ sudo gem uninstall rake
Remove executables:
	rake
in addition to the gem? [Yn]  n
Executables and scripts will remain installed.
Successfully uninstalled rake-10.4.2

It is possible that other gems just installed have bundled versions.
Need to investigate.

Anyway, I am satisfied that ruby is working OK.

Whiteboard: (none) => MGA6-64-OK

Comment 10 Len Lawrence 2018-10-23 19:16:57 CEST
Re comment #8.
Yep, ruby has gtk2, gdk_pixbuf2, cairo, pango, atk ....

So the gems go out.
Comment 11 Len Lawrence 2018-10-25 08:21:50 CEST
Re comment #9, first PoC - testing unpack.
On another machine with the pre-update version of ruby
$ ruby --version
ruby 2.2.8p477 (2017-09-14 revision 59906) [x86_64-linux]
used a large integer to try and force a negative offset and found that the vulnerability had already been addressed at the earlier version.

$ irb
irb(main):001:0> test = "abcd8\0__xyz 224"
=> "abcd8\u0000__xyz 224"
irb(main):002:0> test.unpack( "A2@184467440798765432101" )
RangeError: pack length too big
	from (irb):2:in `unpack'
	from (irb):2
	from /bin/irb:11:in `<main>'

Tried several very large numbers and the result was always the same which reinforces the earlier conclusion.
Len Lawrence 2018-10-25 08:22:29 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-10-26 15:36:55 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 12 Mageia Robot 2018-10-26 20:48:13 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0411.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.