Bug 25564 - ruby new security issues CVE-2019-15845, CVE-2019-16201, CVE-2019-1625[45]
Summary: ruby new security issues CVE-2019-15845, CVE-2019-16201, CVE-2019-1625[45]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-10-14 17:21 CEST by David Walser
Modified: 2019-12-25 20:09 CET (History)
5 users (show)

See Also:
Source RPM: ruby-2.5.3-20.mga7.src.rpm
CVE:
Status comment:


Attachments
PoC and gem tests for ruby (4.40 KB, text/plain)
2019-12-25 01:31 CET, Len Lawrence
Details

David Walser 2019-10-14 17:22:08 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-10-14 20:51:11 CEST
Assigning to pterjan as the registered maintainer for 'ruby'.

Assignee: bugsquad => pterjan

Comment 2 David Walser 2019-11-30 16:31:18 CET
Ubuntu has issued an advisory for this on November 26:
https://usn.ubuntu.com/4201-1/

Severity: normal => major

Comment 3 David Walser 2019-12-19 17:34:08 CET
Pascal, I see r1463885 was an update to 2.5.7 meant to address this, but it was never built.
Comment 4 Pascal Terjan 2019-12-19 17:51:47 CET
Yes a test is failing and I need to investigate why
Comment 5 David Walser 2019-12-20 21:19:52 CET
Debian has issued an advisory for this on December 17:
https://www.debian.org/security/2019/dsa-4586
Comment 6 Pascal Terjan 2019-12-22 22:24:09 CET
The build is fixed, 2.5.7 was uploaded to cauldron and is currently building for 7.
Comment 7 David Walser 2019-12-22 23:22:35 CET
Thanks Pascal.  Please don't forget Bug 22696.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 8 David Walser 2019-12-22 23:26:18 CET
Advisory:
========================

Updated ruby packages fix security vulnerabilities:

It was discovered that Ruby incorrectly handled certain files. An attacker
could possibly use this issue to pass path matching what can lead to an
unauthorized access (CVE-2019-15845).

It was discovered that Ruby incorrectly handled certain regular expressions. An
attacker could use this issue to cause a denial of service (CVE-2019-16201).

It was discovered that Ruby incorrectly handled certain HTTP headers. An
attacker could possibly use this issue to execute arbitrary code
(CVE-2019-16254).

It was discovered that Ruby incorrectly handled certain inputs. An attacker
could possibly use this issue to execute arbitrary code (CVE-2019-16255).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255
https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/
https://usn.ubuntu.com/4201-1/
========================

Updated packages in core/updates_testing:
========================
ruby-2.5.7-20.mga7
libruby2.5-2.5.7-20.mga7
ruby-doc-2.5.7-20.mga7
ruby-devel-2.5.7-20.mga7
ruby-rake-12.3.0-20.mga7
ruby-openssl-2.1.2-20.mga7
ruby-power_assert-1.1.1-20.mga7
ruby-irb-2.5.7-20.mga7
ruby-did_you_mean-1.2.0-20.mga7
ruby-io-console-0.4.6-20.mga7
ruby-psych-3.0.2-20.mga7
ruby-net-telnet-0.1.1-20.mga7
ruby-test-unit-3.2.7-20.mga7
ruby-xmlrpc-0.3.0-20.mga7

from ruby-2.5.7-20.mga7.src.rpm

CC: (none) => pterjan
Assignee: pterjan => qa-bugs

Comment 9 Herman Viaene 2019-12-23 16:33:18 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to bug 22844 to repeat some tests done there for lack of knowledge in ruby.
$  ruby --version
ruby 2.5.7p206 (2019-10-01 revision 67816) [x86_64-linux]
$ irb
irb(main):001:0>  test = "abc\8\0__xyz 224"
=> "abc8\u0000__xyz 224"
irb(main):002:0>  b = test.unpack( 'A4Z4' )
=> ["abc8", ""]
irb(main):003:0> c = test.unpack( '@6A6' )
=> ["_xyz 2"]
irb(main):004:0> d = test.unpack( 'A2@8000' )
Traceback (most recent call last):
        3: from /usr/bin/irb:11:in `<main>'
        2: from (irb):4
        1: from (irb):4:in `unpack'
ArgumentError (@ outside of string)
irb(main):005:0> target = "/home\0/tester7/ruby
irb(main):006:0" 
I had to CTRL-C to get out of this, then further
irb(main):009:0> require "tempfile"
=> true
irb(main):010:0>  Dir.mktmpdir( "../data/" )
=> "/tmp/..data20191223-20656-1u7vuop"
irb(main):011:0> quit
[tester7@mach5 ~]$ gem list

*** LOCAL GEMS ***

did_you_mean (1.2.0)
json (2.1.0)
net-telnet (0.1.1)
power_assert (1.1.1)
rake (12.3.0)
rdoc (6.1.1)
test-unit (3.2.7)
xmlrpc (0.3.0)

Leaving for others to judge if this is enough testing, for me it is the end ofthe road.

CC: (none) => herman.viaene

Comment 10 Len Lawrence 2019-12-23 19:15:44 CET
@Herman, comment 9.  Thanks for looking at this.  I had been intending to tackle it after Christmas because ruby is my main programming/scripting language - use it every day - not enough un-interrupted time to do much testing just now.

Those interactive tests were intended to reproduce some of the bugs reported in the CVEs and show that they were fixed after the updates.  If you could leave this open I will check the CVEs later with a view to producing some PoC tests.

CC: (none) => tarazed25

Comment 11 Len Lawrence 2019-12-25 01:31:22 CET
Created attachment 11433 [details]
PoC and gem tests for ruby
Comment 12 Len Lawrence 2019-12-25 01:42:25 CET
Mageia7, x86_64

Installed all the packages, ran some tests against three of the CVEs before and after the updates and then some tests of ruby-RubyGems - see attachment.
The PoC results were good.

Installed puppet, without any background knowledge, so testing was very elementary, limited to a search on PuppetForge.
$ puppet module search nginx
This returned a list of 225 modules starting with those whose names include "nginx".

$ urpmq --whatrequires-recursive ruby | sort -u > rubylist
$ lines rubylist
617
which shows an extensive collection of packages which could be tested against ruby.
Based on Herman's and these notes we can give this an OK for 64-bits.

Whiteboard: (none) => MGA7-64-OK

Comment 13 Len Lawrence 2019-12-25 01:45:30 CET
Rider to comment 12.
Local ruby scripts continue to work.  Several are quite complex with from 600 to 1500 lines of code and comments.
Thomas Backlund 2019-12-25 15:21:31 CET

Keywords: (none) => advisory
CC: (none) => tmb

Thomas Backlund 2019-12-25 19:48:17 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 14 Mageia Robot 2019-12-25 20:09:50 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0408.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.