|Summary:||<dev-ruby/rubygems-2.6.13: multiple security vulnerabilities|
|Product:||Gentoo Security||Reporter:||Hans de Graaff <graaff>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B2 [glsa cve]|
|Runtime testing required:||---|
Description Hans de Graaff 2017-08-28 18:55:25 UTC
Fix a DNS request hijacking vulnerability. Fix by Samuel Giddins. Fix an ANSI escape sequence vulnerability. Fix by Evan Phoenix. Fix a DOS vulernerability in the query command. Fix by Samuel Giddins. Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Fix by Samuel Giddins. dev-ruby/rubygems-2.6.13 has been added to the repository. Because this is such a central ruby package I'd like to wait a week for bugs to shake out before moving to stable. In terms of overall impact: we don't use rubygems to install any packages within Gentoo itself so normal Gentoo operation is not affected, but users with an interest in ruby are expected to run rubygems in a way that may trigger these vulnerabilities.
Comment 1 Aleksandr Wagner (Kivak) 2017-08-31 20:46:22 UTC
CVE's have been assigned: CVE-2017-0899 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899): RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. References: http://blog.rubygems.org/2017/08/27/2.6.13-released.html https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1 https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491 https://hackerone.com/reports/226335 CVE-2017-0900 (CVE-2017-0900): RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. References: http://blog.rubygems.org/2017/08/27/2.6.13-released.html https://github.com/rubygems/rubygems/commit/8a38a4fc24c6591e6c8f43d1fadab6efeb4d6251 https://hackerone.com/reports/243003 CVE-2017-0901 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901): RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. References: http://blog.rubygems.org/2017/08/27/2.6.13-released.html https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2 https://hackerone.com/reports/243156 CVE-2017-0902 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902): RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. References: http://blog.rubygems.org/2017/08/27/2.6.13-released.html https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32 https://hackerone.com/reports/218088
Comment 2 Sergei Trofimovich (RETIRED) 2017-09-02 13:29:56 UTC
Comment 3 Tobias Klausmann (RETIRED) 2017-09-04 07:35:25 UTC
Stable on alpha.
Comment 4 Markus Meier 2017-09-07 19:40:54 UTC
Comment 5 Sergei Trofimovich (RETIRED) 2017-09-24 16:18:59 UTC
Comment 6 Sergei Trofimovich (RETIRED) 2017-09-24 18:15:24 UTC
Comment 7 Sergei Trofimovich (RETIRED) 2017-09-24 18:51:56 UTC
Comment 8 Manuel Rüger (RETIRED) 2017-10-02 12:23:24 UTC
Comment 9 Thomas Deutschmann 2017-10-02 23:45:47 UTC
Comment 10 Hans de Graaff 2017-10-03 05:32:57 UTC
@security: are we going to wait for arm64? Haven't seen any activity by them for some time and they are not security supported, correct? Otherwise we are ready for cleanup and we can proceed with this bug.
Comment 11 Christopher Díaz Riveros (RETIRED) 2017-10-03 14:53:12 UTC
(In reply to Hans de Graaff from comment #10) > @security: are we going to wait for arm64? Haven't seen any activity by them > for some time and they are not security supported, correct? Otherwise we are > ready for cleanup and we can proceed with this bug. ATM no one seems to be working on arm64... I tried to contact them, no answer. Security bugs must proceed since all supported arches are stable now. @arm64 please try to stabilize before cleanup, if you can't you'll need to open a new stabilization request. @Hans proceed to cleanup. New GLSA Request filed. Gentoo Security Padawan ChrisADR
Comment 12 GLSAMaker/CVETool Bot 2017-10-08 12:54:20 UTC
This issue was resolved and addressed in GLSA 201710-01 at https://security.gentoo.org/glsa/201710-01 by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Aaron Bauman 2017-10-08 12:55:29 UTC
re-opened for cleanup.
Comment 14 Hans de Graaff 2017-10-08 15:10:33 UTC
Vulnerable versions have been removed.