Summary: | <dev-lang/ruby-{1.9.3_p484,2.0.0_p353}: heap overflow in floating point parsing (CVE-2013-4164) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mina, ruby, tb |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1033460 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 434064, 475308, 483708, 488414, 492268 | ||
Bug Blocks: | 483466 |
Description
Agostino Sarubbo
2013-11-22 10:43:51 UTC
ruby-1.9.3_p484 and ruby-2.0.0_p353 are now in the tree. ruby 1.8 is deprecated and we'll work on masking it as soon as possible. (In reply to Agostino Sarubbo from comment #0) > @maintainer(s): after the bump, in case we need to stabilize the package, > please let us know if it is ready for the stabilization or not. There exists a backported patch for CVE-2013-4164 for ruby 1.8: http://makandracards.com/railslts/19977-backported-fix-for-heap-overflow-in-floating-point-parsing-cve-2013-4164 It might be a good idea to bring this in to stall/in conjunction with deprecating MRI 1.8. (In reply to Mina Naguib from comment #3) > There exists a backported patch for CVE-2013-4164 for ruby 1.8: > > http://makandracards.com/railslts/19977-backported-fix-for-heap-overflow-in- > floating-point-parsing-cve-2013-4164 > > It might be a good idea to bring this in to stall/in conjunction with > deprecating MRI 1.8. Thanks for letting us know about the patch, but we were already planning to mask and remove ruby 1.8 before the end of the year. This security issue is simply speeding up the goal by a few weeks at the most. We do not intend to patch ruby 1.8. I think we can mark the new ruby versions stable: =dev-lang/ruby-1.9.3_p484 =dev-lang/ruby.2.0.0_p353 For ruby 1.8 removal we also need a few stable bugs to go through first. These are added as blockers on this bug. Stable for HPPA. CVE-2013-4164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4164): Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse. CVE-2013-4407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4407): HTTP::Body::Multipart in the HTTP-Body 1.08, 1.17, and earlier module for Perl uses the part of the uploaded file's name after the first "." character as the suffix of a temporary file, which makes it easier for remote attackers to conduct attacks by leveraging subsequent behavior that may assume the suffix is well-formed. Ignore the second CVE. amd64 stable ppc stable ppc64 stable x86 stable alpha stable arm stable sparc stable ia64 stable Please check if =dev-lang/ruby.2.0.0_p353 was stabled for arm as per this bug looks like only ruby-1.9.3_p484. Setting arm arch back. arm stable, all arches done. Maintainer(s), please drop the vulnerable version(s). <dev-lang/ruby-1.9.3_p484 <dev-lang/ruby.2.0.0_p353 1.8 Version. (In reply to Yury German from comment #20) > <dev-lang/ruby-1.9.3_p484 > <dev-lang/ruby.2.0.0_p353 These are now dropped. > 1.8 Version. Still in progress. (In reply to Hans de Graaff from comment #21) > > 1.8 Version. > > Still in progress. Ruby 1.8 has been masked and removed. Maintainer(s), Thank you for cleanup! Added to an existing GLSA request. This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle). This is so beneficial information for everyone. I hope all are taking benefits of this. https://www.duaistikharaforlove.com/ |