Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 629230 (CVE-2017-0899, CVE-2017-0900, CVE-2017-0901, CVE-2017-0902)

Summary: <dev-ruby/rubygems-2.6.13: multiple security vulnerabilities
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ruby
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
Whiteboard: B2 [glsa cve]
Package list:
dev-ruby/rubygems-2.6.13
Runtime testing required: ---

Description Hans de Graaff gentoo-dev Security 2017-08-28 18:55:25 UTC
Fix a DNS request hijacking vulnerability. Fix by Samuel Giddins.
Fix an ANSI escape sequence vulnerability. Fix by Evan Phoenix.
Fix a DOS vulernerability in the query command. Fix by Samuel Giddins.
Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Fix by Samuel Giddins.

dev-ruby/rubygems-2.6.13 has been added to the repository. Because this is such a central ruby package I'd like to wait a week for bugs to shake out before moving to stable.

In terms of overall impact: we don't use rubygems to install any packages within Gentoo itself so normal Gentoo operation is not affected, but users with an interest in ruby are expected to run rubygems in a way that may trigger these vulnerabilities.
Comment 1 Aleksandr Wagner (Kivak) 2017-08-31 20:46:22 UTC
CVE's have been assigned:


CVE-2017-0899 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899):

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. 

References:

http://blog.rubygems.org/2017/08/27/2.6.13-released.html
https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1
https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491
https://hackerone.com/reports/226335

CVE-2017-0900 (CVE-2017-0900):

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. 

References:

http://blog.rubygems.org/2017/08/27/2.6.13-released.html
https://github.com/rubygems/rubygems/commit/8a38a4fc24c6591e6c8f43d1fadab6efeb4d6251
https://hackerone.com/reports/243003

CVE-2017-0901 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901):

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. 

References:

http://blog.rubygems.org/2017/08/27/2.6.13-released.html
https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2
https://hackerone.com/reports/243156

CVE-2017-0902 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902):

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. 

References:

http://blog.rubygems.org/2017/08/27/2.6.13-released.html
https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32
https://hackerone.com/reports/218088
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-02 13:29:56 UTC
ia64 stable
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2017-09-04 07:35:25 UTC
Stable on alpha.
Comment 4 Markus Meier gentoo-dev 2017-09-07 19:40:54 UTC
arm stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 16:18:59 UTC
ppc64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 18:15:24 UTC
hppa stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 18:51:56 UTC
ppc stable
Comment 8 Manuel Rüger (RETIRED) gentoo-dev 2017-10-02 12:23:24 UTC
amd64 stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-02 23:45:47 UTC
x86 stable
Comment 10 Hans de Graaff gentoo-dev Security 2017-10-03 05:32:57 UTC
@security: are we going to wait for arm64? Haven't seen any activity by them for some time and they are not security supported, correct? Otherwise we are ready for cleanup and we can proceed with this bug.
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-03 14:53:12 UTC
(In reply to Hans de Graaff from comment #10)
> @security: are we going to wait for arm64? Haven't seen any activity by them
> for some time and they are not security supported, correct? Otherwise we are
> ready for cleanup and we can proceed with this bug.

ATM no one seems to be working on arm64... I tried to contact them, no answer.
Security bugs must proceed since all supported arches are stable now.

@arm64 please try to stabilize before cleanup, if you can't you'll need to open a new stabilization request.

@Hans proceed to cleanup.

New GLSA Request filed.

Gentoo Security Padawan
ChrisADR
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-10-08 12:54:20 UTC
This issue was resolved and addressed in
 GLSA 201710-01 at https://security.gentoo.org/glsa/201710-01
by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-10-08 12:55:29 UTC
re-opened for cleanup.
Comment 14 Hans de Graaff gentoo-dev Security 2017-10-08 15:10:33 UTC
Vulnerable versions have been removed.