Bug 30162 - ruby (ruby-bundler) new security issue CVE-2021-43809
Summary: ruby (ruby-bundler) new security issue CVE-2021-43809
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-03-12 15:27 CET by David Walser
Modified: 2022-03-14 17:53 CET (History)
6 users (show)

See Also:
Source RPM: ruby-2.7.5-33.2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-03-12 15:27:13 CET
A security issue fixed upstream in ruby-bundler 2.2.33 has been announced:
https://blog.sonarsource.com/securing-developer-tools-package-managers
David Walser 2022-03-12 15:27:26 CET

Status comment: (none) => Fixed upstream in ruby-bundler 2.2.33

Comment 1 Nicolas Lécureuil 2022-03-13 01:14:48 CET
Fix pushed in mga8:

src:
    - ruby-2.7.5-33.3.mga8

Assignee: pterjan => qa-bugs
Status comment: Fixed upstream in ruby-bundler 2.2.33 => (none)
CC: (none) => mageia, pterjan

Comment 2 David Walser 2022-03-13 04:49:38 CET
Nicolas applied a patch for CVE-2021-43809.

ruby-2.7.5-33.3.mga8
ruby-rdoc-6.2.1.1-33.3.mga8
libruby2.7-2.7.5-33.3.mga8
ruby-devel-2.7.5-33.3.mga8
ruby-bundler-2.2.24-33.3.mga8
ruby-RubyGems-3.1.2-33.3.mga8
ruby-openssl-2.1.3-33.3.mga8
ruby-test-unit-3.3.4-33.3.mga8
ruby-rake-13.0.1-33.3.mga8
ruby-irb-2.7.5-33.3.mga8
ruby-psych-3.1.0-33.3.mga8
ruby-bigdecimal-2.0.0-33.3.mga8
ruby-json-2.3.0-33.3.mga8
ruby-xmlrpc-0.3.0-33.3.mga8
ruby-net-telnet-0.2.0-33.3.mga8
ruby-io-console-0.5.6-33.3.mga8
ruby-power_assert-1.1.7-33.3.mga8
ruby-did_you_mean-1.4.0-33.3.mga8
ruby-doc-2.7.5-33.3.mga8

ruby-2.7.5-33.3.mga8.src.rpm
Comment 3 Len Lawrence 2022-03-13 10:42:46 CET
mageia8, x86_64

19 packages updated cleanly.
Put ruby through its paces as in previous tests.
$ ruby --version
ruby 2.7.5p203 (2021-11-24 revision f69aeb8314) [x86_64-linux]

$ irb
irb(main):001:0> Dir.entries( "." )
=> [".", "..", "rpcbomb.rb", "animate.rb", "#report.22844#", "circular.rb",
[...]
irb(main):002:0> fruit = %( apples pears oranges lemons ).upcase
=> " APPLES PEARS ORANGES LEMONS "
irb(main):003:0> a = [7, 1, -11, 3]
=> [7, 1, -11, 3]
irb(main):004:0> b = [3.1]*5
=> [3.1, 3.1, 3.1, 3.1, 3.1]
irb(main):005:0> c = [a, b, Math.cos( 0.0 )]
=> [[7, 1, -11, 3], [3.1, 3.1, 3.1, 3.1, 3.1], 1.0]
irb(main):006:0> c.flatten.inject( :+ )
=> 16.5
irb(main):007:0> exit

$ ruby -e "puts (1..10).inject( &:+ )"
55

$ gem list

*** LOCAL GEMS ***

astro_moon (0.2)
benchmark (default: 0.1.0)
bigdecimal (2.0.0)
bundler (2.2.24)
cgi (default: 0.1.0.1)
concurrent-ruby (1.1.9, 1.1.7)
connection_pool (2.2.3)
csv (default: 3.1.2)
date (default: 3.0.3)
[...]

Most of my homespun utilities depend on ruby and ruby-tk.  They all continue to work.
facter, puppet, and vagrant use ruby.  puppet does not work currently.

$ facter
architecture => x86_64
blockdevice_sda_model => KINGSTON SV300S3
blockdevice_sda_size => 240057409536
blockdevice_sda_vendor => ATA
.......

That returns a long list of information about the system.

Installed vagrant.
From the web:
"Vagrant is a simple virtual machine manager for your terminal. It allows you to easily pull a minimal and pre-built virtual machine from the Internet, run it locally, and SSH into it in just a few steps."
Tutorial at https://www.geeksforgeeks.org/what-is-vagrant/

Not getting into that but tried to launch it.
$ vagrant
.....
/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:83:in `require': cannot load such file -- vagrant_cloud (LoadError)
$ sudo gem install vagrant_cloud
.....
4 gems installed

cli invocation failed again in the same way.

Green light for ruby anyway.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-03-13 21:15:19 CET
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-03-13 23:30:33 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-03-14 17:53:01 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0102.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.