Bug 24057 - ruby-i18n new security issue CVE-2014-10077
Summary: ruby-i18n new security issue CVE-2014-10077
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-12-25 20:20 CET by David Walser
Modified: 2018-12-28 11:17 CET (History)
5 users (show)

See Also:
Source RPM: ruby-i18n-0.7.0-1.mga6.src.rpm
CVE:
Status comment:


Attachments
Test script for the i18n extension to the Hash class (427 bytes, application/x-ruby)
2018-12-27 03:10 CET, Len Lawrence
Details

Description David Walser 2018-12-25 20:20:02 CET
Fedora has issued an advisory on November 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PI2JAP4MREQEIWMTIONOLWSYZIWZ3AAL/

The issue is fixed upstream in 0.8.0.
Comment 1 David GEIGER 2018-12-25 20:37:57 CET
Should be fixed for mga6!

CC: (none) => geiger.david68210

Comment 2 David Walser 2018-12-25 20:41:09 CET
Advisory:
========================

Updated ruby-i18n packages fix security vulnerability:

A flaw was found in the i18n gem before 0.8.0 for Ruby. The Hash#slice in
lib/i18n/core_ext/hash.rb allows remote attackers to cause a denial of service
(application crash) via a call in a situation where :some_key is present in
keep_keys but not present in the hash (CVE-2014-10077).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10077
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PI2JAP4MREQEIWMTIONOLWSYZIWZ3AAL/
========================

Updated packages in core/updates_testing:
========================
ruby-i18n-0.7.0-1.1.mga6
ruby-i18n-doc-0.7.0-1.1.mga6

from ruby-i18n-0.7.0-1.1.mga6.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Herman Viaene 2018-12-26 12:21:50 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Tried to follow Samuel's lead in bug12095 Comment 5, but this is beyond me.
I created the test.rb file, spent  some time to find out that the exceptions file is not anymore in /usr/share/ruby/gems/gems, it is now /usr/share/gems/gems/i18n-0.7.0/lib/i18n/exceptions.rb
What changes Samuel made in that file is beyond me, but I tried anyway:
$ ./test.rb
/usr/share/gems/gems/i18n-0.7.0/lib/i18n.rb:284:in `enforce_available_locales!': :en is not a valid locale (I18n::InvalidLocale)
	from /usr/share/gems/gems/i18n-0.7.0/lib/i18n.rb:151:in `translate'
	from ./test.rb:4:in `<main>'

And that might be plausible since this is a Dutch installation.
Leaving to more knowledgeable people.

CC: (none) => herman.viaene

Comment 4 Len Lawrence 2018-12-27 01:49:56 CET
@Herman.  Yes this is a difficult one to test.  Samuel's earlier tests would not cover this particular bug.  As he said in the earlier bug, familiarity with Rails would be good.  Not something I know anything about.  I shall poke it a bit before updating but it is unlikely to be fruitful.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-12-27 03:07:49 CET
Mageis 6, x86_64

Not familiar with the translation aspect of this package and how to demonstrate the exploit but it is easy enough to show that the code works at the hash level; it is a trivial change.
First try was monkey-patching the Hash class to include Hash::slice and that failed as expected.

$ ruby hashtest.rb
hashtest.rb:6:in `fetch': key not found: :alien (KeyError)
After updating:
Confirmed by inspection that the fix was in place at
/usr/share/gems/gems/i18n-0.7.0/lib/i18n/core_ext/hash.rb

$ ruby hashtest2.rb
{:apple=>"CoxOrangePippin", :pear=>"Comice", :orange=>"Jaffa"}

This is as far as I can take this.  Giving it an OK.

Whiteboard: (none) => MGA6-64-OK

Comment 6 Len Lawrence 2018-12-27 03:10:27 CET
Created attachment 10610 [details]
Test script for the i18n extension to the Hash class

Sample run in the code file.
Lewis Smith 2018-12-27 20:32:30 CET

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 Mageia Robot 2018-12-28 11:17:53 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0491.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.