Ruby has issued advisories on October 1: https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/ https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/ The issues are fixed upstream in 2.5.7: https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning to pterjan as the registered maintainer for 'ruby'.
Assignee: bugsquad => pterjan
Ubuntu has issued an advisory for this on November 26: https://usn.ubuntu.com/4201-1/
Severity: normal => major
Pascal, I see r1463885 was an update to 2.5.7 meant to address this, but it was never built.
Yes a test is failing and I need to investigate why
Debian has issued an advisory for this on December 17: https://www.debian.org/security/2019/dsa-4586
The build is fixed, 2.5.7 was uploaded to cauldron and is currently building for 7.
Thanks Pascal. Please don't forget Bug 22696.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
Advisory: ======================== Updated ruby packages fix security vulnerabilities: It was discovered that Ruby incorrectly handled certain files. An attacker could possibly use this issue to pass path matching what can lead to an unauthorized access (CVE-2019-15845). It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could use this issue to cause a denial of service (CVE-2019-16201). It was discovered that Ruby incorrectly handled certain HTTP headers. An attacker could possibly use this issue to execute arbitrary code (CVE-2019-16254). It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code (CVE-2019-16255). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255 https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/ https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/ https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/ https://usn.ubuntu.com/4201-1/ ======================== Updated packages in core/updates_testing: ======================== ruby-2.5.7-20.mga7 libruby2.5-2.5.7-20.mga7 ruby-doc-2.5.7-20.mga7 ruby-devel-2.5.7-20.mga7 ruby-rake-12.3.0-20.mga7 ruby-openssl-2.1.2-20.mga7 ruby-power_assert-1.1.1-20.mga7 ruby-irb-2.5.7-20.mga7 ruby-did_you_mean-1.2.0-20.mga7 ruby-io-console-0.4.6-20.mga7 ruby-psych-3.0.2-20.mga7 ruby-net-telnet-0.1.1-20.mga7 ruby-test-unit-3.2.7-20.mga7 ruby-xmlrpc-0.3.0-20.mga7 from ruby-2.5.7-20.mga7.src.rpm
CC: (none) => pterjanAssignee: pterjan => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref to bug 22844 to repeat some tests done there for lack of knowledge in ruby. $ ruby --version ruby 2.5.7p206 (2019-10-01 revision 67816) [x86_64-linux] $ irb irb(main):001:0> test = "abc\8\0__xyz 224" => "abc8\u0000__xyz 224" irb(main):002:0> b = test.unpack( 'A4Z4' ) => ["abc8", ""] irb(main):003:0> c = test.unpack( '@6A6' ) => ["_xyz 2"] irb(main):004:0> d = test.unpack( 'A2@8000' ) Traceback (most recent call last): 3: from /usr/bin/irb:11:in `<main>' 2: from (irb):4 1: from (irb):4:in `unpack' ArgumentError (@ outside of string) irb(main):005:0> target = "/home\0/tester7/ruby irb(main):006:0" I had to CTRL-C to get out of this, then further irb(main):009:0> require "tempfile" => true irb(main):010:0> Dir.mktmpdir( "../data/" ) => "/tmp/..data20191223-20656-1u7vuop" irb(main):011:0> quit [tester7@mach5 ~]$ gem list *** LOCAL GEMS *** did_you_mean (1.2.0) json (2.1.0) net-telnet (0.1.1) power_assert (1.1.1) rake (12.3.0) rdoc (6.1.1) test-unit (3.2.7) xmlrpc (0.3.0) Leaving for others to judge if this is enough testing, for me it is the end ofthe road.
CC: (none) => herman.viaene
@Herman, comment 9. Thanks for looking at this. I had been intending to tackle it after Christmas because ruby is my main programming/scripting language - use it every day - not enough un-interrupted time to do much testing just now. Those interactive tests were intended to reproduce some of the bugs reported in the CVEs and show that they were fixed after the updates. If you could leave this open I will check the CVEs later with a view to producing some PoC tests.
CC: (none) => tarazed25
Created attachment 11433 [details] PoC and gem tests for ruby
Mageia7, x86_64 Installed all the packages, ran some tests against three of the CVEs before and after the updates and then some tests of ruby-RubyGems - see attachment. The PoC results were good. Installed puppet, without any background knowledge, so testing was very elementary, limited to a search on PuppetForge. $ puppet module search nginx This returned a list of 225 modules starting with those whose names include "nginx". $ urpmq --whatrequires-recursive ruby | sort -u > rubylist $ lines rubylist 617 which shows an extensive collection of packages which could be tested against ruby. Based on Herman's and these notes we can give this an OK for 64-bits.
Whiteboard: (none) => MGA7-64-OK
Rider to comment 12. Local ruby scripts continue to work. Several are quite complex with from 600 to 1500 lines of code and comments.
Keywords: (none) => advisoryCC: (none) => tmb
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0408.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED