Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 605536 (CVE-2016-2337, CVE-2016-2339)

Summary: <dev-lang/ruby-2.3.0: multiple vulnerabilities (CVE-2016-{2337,2339})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: ruby
Priority: Normal Flags: stable-bot: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 621878    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2017-01-13 08:44:31 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=1412680:

Type Confusion exists in _cancel_eval Ruby’s TclTkIp class method. Attacker passing different type of object than String as “retval” argument can cause 
arbitrary code execution.

References:
http://www.talosintelligence.com/reports/TALOS-2016-0031/

Upstream patches:
https://github.com/ruby/tk/commit/ebd0fc80d62eeb7b8556522256f8d035e013eb65
https://github.com/ruby/tk/commit/d098136e3f62a4879a7d7cd34bbd50f482ba3331


From https://bugzilla.redhat.com/show_bug.cgi?id=1412678:

An exploitable heap overflow vulnerability exists in the Fiddle::Function.new “initialize” function functionality of Ruby. In Fiddle::Function.new 
“initialize” heap buffer “arg_types” allocation is made based on args array length. Specially constructed object passed as element of args array can 
increase this array size after mentioned allocation and cause heap overflow.

References:
http://www.talosintelligence.com/reports/TALOS-2016-0034/

Upstream patch:
https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-26 09:17:49 UTC 
@ Maintainer(s): Please tell us if we can start stabilization of =dev-lang/ruby-2.3.4-r1 and how you want to proceed with affected 2.2.x after stabilization.
Comment 2 Hans de Graaff gentoo-dev Security 2017-05-27 06:44:11 UTC 
The tcl/tk patches can be backported and have now been applied to ruby-2.2.7-r2. The impact of this security bug is very low since no code in the tree actually uses the tcl/tk extension.

The patches for Fiddle cannot be backported. Note that ruby upstream is still supporting ruby 2.2 with security patches and upstream did not backport this themselves. My assumption is that this was not treated as a security issue, probably due to the reasons outlined in the redhat bug. As far as I can tell redhat also did not backport this code.

We are also not ready yet to stable ruby 2.3. First ruby 2.2 needs to be stable on all arches, then we need to clean up ruby 2.1, and then we need to ensure that enough packages have a ruby23 target. My earliest estimate for a ruby 2.3 stable bug is sometime in September.

My suggestion is to not treat the Fiddle bug as a security issue that needs to be fixed, and keep ruby 2.2 as the current stable version. We can stable ruby 2.2.7-r2 to include the tcltk patchset, but I'd like to keep this revision in testing for a week or so because other patches were also added.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-07-21 11:32:16 UTC 
@ Maintainer(s): So can you please backport the fix to 2.2.x that we can proceed?
Comment 4 Hans de Graaff gentoo-dev Security 2017-07-21 16:20:53 UTC 
(In reply to Thomas Deutschmann from comment #3)
> @ Maintainer(s): So can you please backport the fix to 2.2.x that we can
> proceed?

CVE-2016-2337 was already backported in 2.2.7-r2, I'll add arches for a stable request. CVE-2016-2339 won't be backported, see comment 2.
Comment 5 Stabilization helper bot gentoo-dev 2017-07-21 17:01:02 UTC 
An automated check of this bug failed - repoman reported dependency errors (12 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
Comment 6 Markus Meier gentoo-dev 2017-08-08 04:31:41 UTC 
arm stable
Comment 7 Stabilization helper bot gentoo-dev 2017-08-08 05:01:15 UTC 
An automated check of this bug failed - repoman reported dependency errors (12 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
Comment 8 Hans de Graaff gentoo-dev Security 2017-08-08 05:05:09 UTC 
This stable request has been obsoleted by bug 621878
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-08 14:23:38 UTC 
(In reply to Hans de Graaff from comment #8)
> This stable request has been obsoleted by bug 621878

Whiteboard updated to reflect the new status.

Coordinated with K_F.

Gentoo Security Padawan
ChrisADR
Comment 10 Stabilization helper bot gentoo-dev 2017-08-08 15:00:40 UTC 
An automated check of this bug failed - repoman reported dependency errors (27 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 22:09:29 UTC 
sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-10-18 00:54:32 UTC 
This issue was resolved and addressed in
 GLSA 201710-18 at https://security.gentoo.org/glsa/201710-18
by GLSA coordinator Aaron Bauman (b-man).