4031 – Ruby needs to be updated to 1.8.7-p357 for CVE-2011-4815, CVE-2011-2705 and CVE-2011-2686

Bug 4031 - Ruby needs to be updated to 1.8.7-p357 for CVE-2011-4815, CVE-2011-2705 and CVE-2011-2686

Summary: Ruby needs to be updated to 1.8.7-p357 for CVE-2011-4815, CVE-2011-2705 and C...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	1
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:
Keywords:	validated_update

Duplicates (1):	4000 (view as bug list)
Depends on:
Blocks:

Reported:	2012-01-05 14:28 CET by Pascal Terjan
Modified:	2012-02-14 12:40 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	ruby
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pascal Terjan 2012-01-05 14:28:40 CET

CVE-2011-2686
Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. NOTE: this issue exists because of a regression during Ruby 1.8.6 development.

CVE-2011-2705
The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.

CVE-2011-4815
Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Pascal Terjan 2012-01-05 14:48:07 CET

Assignee: bugsquad => pterjan

Comment 1 Manuel Hiebel 2012-01-16 17:06:53 CET

No news ?

see also bug 4000

CC: (none) => shikamaru
Source RPM: (none) => ruby

Comment 2 Manuel Hiebel 2012-02-01 11:45:24 CET

Ping ?

Comment 3 Pascal Terjan 2012-02-13 00:32:12 CET

ruby-1.8.7.p357-1.mga1 has been submitted to updates_testing, it contains fixes for those three CVE and for CVE-2011-0188 (from bug #4000)

CVE-2011-0188
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an integer truncation issue.

Comment 4 Pascal Terjan 2012-02-13 00:32:38 CET

*** Bug 4000 has been marked as a duplicate of this bug. ***

CC: (none) => luigiwalser

Comment 5 David Walser 2012-02-13 00:57:41 CET

Assigning to QA.

Advisory:
========================

Updated ruby packages fix security vulnerabilities:

CVE-2011-0188
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby does
not properly allocate memory, which allows context-dependent attackers to
execute arbitrary code or cause a denial of service (application crash) via
vectors involving creation of a large BigDecimal value within a 64-bit process,
related to an integer truncation issue.

CVE-2011-2686
Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes
it easier for context-dependent attackers to predict the values of random
numbers by leveraging knowledge of the number sequence obtained in a different
child process, a related issue to CVE-2003-0900. NOTE: this issue exists
because of a regression during Ruby 1.8.6 development.

CVE-2011-2705
The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before
1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization,
which makes it easier for context-dependent attackers to predict the result
string by leveraging knowledge of random strings obtained in an earlier process
with the same PID.

CVE-2011-4815
Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the
ability to trigger hash collisions predictably, which allows context-dependent
attackers to cause a denial of service (CPU consumption) via crafted input to
an application that maintains a hash table.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2705
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4815
========================

Updated packages in core/updates_testing:
========================
ruby-1.8.7.p357-1.mga1
ruby-doc-1.8.7.p357-1.mga1
ruby-devel-1.8.7.p357-1.mga1
ruby-tk-1.8.7.p357-1.mga1

from ruby-1.8.7.p357-1.mga1.src.rpm

CC: (none) => pterjan
Assignee: pterjan => qa-bugs

Comment 6 Dave Hodgins 2012-02-13 04:21:17 CET

Testing complete on i586 for the srpm
ruby-1.8.7.p357-1.mga1.src.rpm

No poc, so just testing that the program booh, which uses ruby works.

CC: (none) => davidwhodgins

Comment 7 claire robinson 2012-02-13 13:58:45 CET

Tested Ok with booh x86_64

Validating.

Could sysadmin please push from core/updates_testing to core/updates

See comment 5 for advisory and srpm.

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2012-02-14 12:40:42 CET

update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.