Fedora has issued an advisory on November 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PI2JAP4MREQEIWMTIONOLWSYZIWZ3AAL/ The issue is fixed upstream in 0.8.0.
Should be fixed for mga6!
CC: (none) => geiger.david68210
Advisory: ======================== Updated ruby-i18n packages fix security vulnerability: A flaw was found in the i18n gem before 0.8.0 for Ruby. The Hash#slice in lib/i18n/core_ext/hash.rb allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash (CVE-2014-10077). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10077 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PI2JAP4MREQEIWMTIONOLWSYZIWZ3AAL/ ======================== Updated packages in core/updates_testing: ======================== ruby-i18n-0.7.0-1.1.mga6 ruby-i18n-doc-0.7.0-1.1.mga6 from ruby-i18n-0.7.0-1.1.mga6.src.rpm
Assignee: bugsquad => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Tried to follow Samuel's lead in bug12095 Comment 5, but this is beyond me. I created the test.rb file, spent some time to find out that the exceptions file is not anymore in /usr/share/ruby/gems/gems, it is now /usr/share/gems/gems/i18n-0.7.0/lib/i18n/exceptions.rb What changes Samuel made in that file is beyond me, but I tried anyway: $ ./test.rb /usr/share/gems/gems/i18n-0.7.0/lib/i18n.rb:284:in `enforce_available_locales!': :en is not a valid locale (I18n::InvalidLocale) from /usr/share/gems/gems/i18n-0.7.0/lib/i18n.rb:151:in `translate' from ./test.rb:4:in `<main>' And that might be plausible since this is a Dutch installation. Leaving to more knowledgeable people.
CC: (none) => herman.viaene
@Herman. Yes this is a difficult one to test. Samuel's earlier tests would not cover this particular bug. As he said in the earlier bug, familiarity with Rails would be good. Not something I know anything about. I shall poke it a bit before updating but it is unlikely to be fruitful.
CC: (none) => tarazed25
Mageis 6, x86_64 Not familiar with the translation aspect of this package and how to demonstrate the exploit but it is easy enough to show that the code works at the hash level; it is a trivial change. First try was monkey-patching the Hash class to include Hash::slice and that failed as expected. $ ruby hashtest.rb hashtest.rb:6:in `fetch': key not found: :alien (KeyError) After updating: Confirmed by inspection that the fix was in place at /usr/share/gems/gems/i18n-0.7.0/lib/i18n/core_ext/hash.rb $ ruby hashtest2.rb {:apple=>"CoxOrangePippin", :pear=>"Comice", :orange=>"Jaffa"} This is as far as I can take this. Giving it an OK.
Whiteboard: (none) => MGA6-64-OK
Created attachment 10610 [details] Test script for the i18n extension to the Hash class Sample run in the code file.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0491.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED