Bug 33138 - ruby new security issues CVE-2024-2728[0-2]
Summary: ruby new security issues CVE-2024-2728[0-2]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-04-24 14:47 CEST by Nicolas Salguero
Modified: 2024-05-09 04:41 CEST (History)
3 users (show)

See Also:
Source RPM: ruby-3.1.4-44.mga9.src.rpm
CVE: CVE-2024-27280, CVE-2024-27281, CVE-2024-27282
Status comment:


Attachments
fibonacci series demo script (811 bytes, application/x-ruby)
2024-05-04 21:22 CEST, Len Lawrence
Details
Fibonacci demo script (811 bytes, text/plain)
2024-05-04 21:26 CEST, Len Lawrence
Details
plain text version of fibonacci test (816 bytes, application/x-ruby)
2024-05-04 22:47 CEST, Len Lawrence
Details

Description Nicolas Salguero 2024-04-24 14:47:34 CEST
Version 3.1.5 fixes those problems:
https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-1-5-released/

Mageia 9 is also affected.
Nicolas Salguero 2024-04-24 14:48:06 CEST

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 3.1.5
CVE: (none) => CVE-2024-27280, CVE-2024-27281, CVE-2024-27282
Source RPM: (none) => ruby-3.1.4-44.mga9.src.rpm

Comment 1 Lewis Smith 2024-04-24 20:44:59 CEST
Looks right for you, Pascal. Just a version update.

Assignee: bugsquad => pterjan

Comment 2 Pascal Terjan 2024-04-28 16:37:34 CEST
ruby-3.1.5 is in cauldron and being uploaded to 9/updates_testing
Comment 3 Nicolas Salguero 2024-05-02 14:38:38 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Buffer overread vulnerability in StringIO. (CVE-2024-27280)

RCE vulnerability with .rdoc_options in RDoc. (CVE-2024-27281)

Arbitrary memory address read vulnerability with Regex search. (CVE-2024-27282)

References:
https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-1-5-released/
========================

Updated packages in core/updates_testing:
========================
lib(64)ruby3.1-3.1.5-45.mga9
ruby-3.1.5-45.mga9
ruby-RubyGems-3.3.26-45.mga9
ruby-bigdecimal-3.1.1-45.mga9
ruby-bundled-gems-3.1.5-45.mga9
ruby-bundler-2.3.27-45.mga9
ruby-devel-3.1.5-45.mga9
ruby-doc-3.1.5-45.mga9
ruby-io-console-0.5.11-45.mga9
ruby-irb-3.1.5-45.mga9
ruby-json-2.6.1-45.mga9
ruby-power_assert-2.0.1-45.mga9
ruby-psych-4.0.4-45.mga9
ruby-rake-13.0.6-45.mga9
ruby-rbs-2.7.0-45.mga9
ruby-rdoc-6.4.1.1-45.mga9
ruby-rexml-3.2.5-45.mga9
ruby-rss-0.2.9-45.mga9
ruby-test-unit-3.5.3-45.mga9
ruby-typeprof-0.21.3-45.mga9

from SRPM:
ruby-3.1.5-45.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED
Assignee: pterjan => qa-bugs
Status comment: Fixed upstream in 3.1.5 => (none)

katnatek 2024-05-02 20:13:33 CEST

Keywords: (none) => advisory

Comment 4 Len Lawrence 2024-05-04 21:22:34 CEST
Created attachment 14526 [details]
fibonacci series demo script

Not interactive - just run it.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2024-05-04 21:26:03 CEST
Created attachment 14527 [details]
Fibonacci demo script

Not interactive - just run it
Comment 6 Len Lawrence 2024-05-04 22:47:09 CEST
Created attachment 14528 [details]
plain text version of fibonacci test

$ ruby fibonacci.rb
Comment 7 Len Lawrence 2024-05-04 23:47:54 CEST
Mageia9, x64
Been using ruby for local utilities without issue for years.
The packages updated cleanly.

Managed to start puppet but there is nothing for it to work with.
$ sudo systemctl start puppet
$ sudo systemctl status puppet
● puppet.service - Puppet agent
     Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled; preset: disabled)
     Active: active (running) since Sat 2024-05-04 21:05:46 BST; 32min ago
   Main PID: 2873650 (puppet)
      Tasks: 1 (limit: 37990)
     Memory: 55.1M
        CPU: 713ms
     CGroup: /system.slice/puppet.service
             └─2873650 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize

May 04 21:33:47 yildun puppet-agent[2873650]: Failed to open TCP connection to puppet:8140 (getaddrinfo:>
May 04 21:33:47 yildun puppet-agent[2873650]: No more routes to ca
May 04 21:35:47 yildun puppet-agent[2873650]: Connection to https://puppet:8140/puppet-ca/v1 failed, try>
May 04 21:35:47 yildun puppet-agent[2873650]: Wrapped exception:
May 04 21:35:47 yildun puppet-agent[2873650]: Failed to open TCP connection to puppet:8140 (getaddrinfo:>
May 04 21:35:47 yildun puppet-agent[2873650]: No more routes to ca
May 04 21:37:47 yildun puppet-agent[2873650]: Connection to https://puppet:8140/puppet-ca/v1 failed, try>
May 04 21:37:47 yildun puppet-agent[2873650]: Wrapped exception:
May 04 21:37:47 yildun puppet-agent[2873650]: Failed to open TCP connection to puppet:8140 (getaddrinfo:>
May 04 21:37:47 yildun puppet-agent[2873650]: No more routes to ca

$ puppet --version
7.12.1

Ran attached script to deal with numbers from the Fibonacci series.
$ ruby fibonacci.rb
<
Using recursion to calculate Fibonacci numbers 11 and 29
89
514229
Do not run anything larger than 39 or you may be here all day!
The Golden Ratio is 1.618033988749895
Term 43 of Fibonacci sequence is 433494437
Any term beyond 70 is difficult to represent exactly.
>

Tried out the REPL = interactive function
$ irb
irb(main):002:0> e = Math::E
=> 2.718281828459045
irb(main):003:0> i = Complex::I
=> (0+1i)
irb(main):004:0> puts "Euler's number is "+e.to_s
Euler's number is 2.718281828459045
=> nil
irb(main):005:0> z = 7**7
=> 823543
irb(main):006:0> bignumber = 7**z
irb(main):007:0* #puts "Big number is "+bignumber.to_s
irb(main):008:0> puts "Big number is 7^(7^7)"
Big number is 7^(7^7)
=> nil
irb(main):009:0> puts "Number of digits in big number is #{bignumber.to_s.length}"
Number of digits in big number is 695975
=> nil
irb(main):010:0> puts sprintf( "π to 20 places is %22.20f\n", π )
π to 20 places is 3.14159265358979311600
=> nil
irb(main):011:0> exponent = π * i
=> (0.0+3.141592653589793i)
irb(main):012:0> euleridentity = e**exponent + 1
irb(main):013:0> puts "The Euler identity: e^πi + 1 = #{euleridentity}"
The Euler identity: e^πi + 1 = 0.0+0.0i
=> nil
irb(main):014:0> quit

$ gem list
*** LOCAL GEMS ***
abbrev (default: 0.1.0)
addressable (2.8.1)
afm (0.2.2)
array_include_methods (1.4.0)
Ascii85 (1.1.0)
astro_moon (0.2)
....

$ sudo gem install nokogiri
Fetching nokogiri-1.16.4-x86_64-linux.gem
Successfully installed nokogiri-1.16.4-x86_64-linux
Parsing documentation for nokogiri-1.16.4-x86_64-linux
Installing ri documentation for nokogiri-1.16.4-x86_64-linux
Done installing documentation for nokogiri after 0 seconds
1 gem installed

Looks OK.

Whiteboard: (none) => MGA9-64-OK

katnatek 2024-05-05 00:15:24 CEST

CC: (none) => andrewsfarm

Comment 8 Thomas Andrews 2024-05-05 04:28:41 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2024-05-09 04:41:29 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0160.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.