An advisory was issued upstream "a month ago" (according to github): https://github.com/rubysec/ruby-advisory-db/issues/25 It's fixed upstream in 0.3.2 and with the commit linked here: https://bugzilla.redhat.com/show_bug.cgi?id=917236 Funda patched it in Cauldron, but Mageia 2 is also vulnerable. Reproducible: Steps to Reproduce:
Patched package uploaded for Mageia 2. Advisory: ======================== Updated ruby-crack packages fix security vulnerability: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion (CVE-2013-1800). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1800 https://github.com/rubysec/ruby-advisory-db/issues/25 ======================== Updated packages in core/updates_testing: ======================== ruby-crack-0.1.8-2.1.mga2 ruby-crack-doc-0.1.8-2.1.mga2 from ruby-crack-0.1.8-2.1.mga2.src.rpm
Assignee: fundawang => qa-bugs
Testing mga2 64 Assigning back to you David, sorry. Unable to make this work again. Appears to be the same issue as other ruby packages in mga2. Using example from file:///usr/lib/ruby/gems/1.8/doc/crack-0.1.8/rdoc/index.html and http://rubydoc.info/gems/crack/0.3.2/frames $ irb irb(main):001:0> require 'crack/json' LoadError: no such file to load -- crack/json from (irb):1:in `require' from (irb):1 from :0 irb(main):002:0> require 'crack' LoadError: no such file to load -- crack from (irb):2:in `require' from (irb):2 from :0 irb(main):003:0> require 'crack/xml' LoadError: no such file to load -- crack/xml from (irb):3:in `require' from (irb):3 from :0 irb(main):004:0> Crack::XML.parse("<tag>This is the contents</tag>") NameError: uninitialized constant Crack from (irb):4 from :0 irb(main):005:0> exit Strace shows it is searching wrong paths for this one too. $ strace -o strace.out irb irb(main):001:0> require 'crack' LoadError: no such file to load -- crack from (irb):1:in `require' from (irb):1 from :0 irb(main):002:0> exit $ grep crack strace.out stat("/usr/lib/ruby/site_ruby/1.8/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/1.8/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux-gnu/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux-gnu/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/vendor_ruby/1.8/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/vendor_ruby/1.8/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/vendor_ruby/1.8/x86_64-linux/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/vendor_ruby/1.8/x86_64-linux/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/vendor_ruby/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/vendor_ruby/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/1.8/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/1.8/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/1.8/x86_64-linux/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/1.8/x86_64-linux/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/1.8/x86_64-linux-gnu/crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/1.8/x86_64-linux-gnu/crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("./crack.rb", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) stat("./crack.so", 0x7fffa3dcedf0) = -1 ENOENT (No such file or directory) write(1, "no such file to load -- crack", 29) = 29 $ urpmf ruby-crack: --media Testing ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8 ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack.rb ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack/core_extensions.rb ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack/json.rb ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack/xml.rb ruby-crack:/usr/lib/ruby/gems/1.8/specifications/crack-0.1.8.gemspec ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8 ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack.rb ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack/core_extensions.rb ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack/json.rb ruby-crack:/usr/lib/ruby/gems/1.8/gems/crack-0.1.8/lib/crack/xml.rb ruby-crack:/usr/lib/ruby/gems/1.8/specifications/crack-0.1.8.gemspec
CC: (none) => qa-bugsAssignee: qa-bugs => luigiwalser
Assigning to Funda then.
CC: (none) => shikamaruAssignee: luigiwalser => fundawang
Closing this now due to Mageia 2 EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Status: NEW => RESOLVEDResolution: (none) => OLD
URL: (none) => http://lwn.net/Vulnerabilities/593862/