Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631034 (CVE-2017-0898, CVE-2017-10784, CVE-2017-14033)

Summary: <dev-lang/ruby-{2.2.8,2.3.5,2.4.2}: multiple vulnerabilities
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/
Whiteboard: A3 [glsa cve]
Package list:
dev-lang/ruby-2.2.8
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 629484    

Description Hans de Graaff gentoo-dev 2017-09-15 06:26:39 UTC
Affected versions:

Ruby 2.2 series: 2.2.7 and earlier
Ruby 2.3 series: 2.3.4 and earlier
Ruby 2.4 series: 2.4.1 and earlier


CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf

If a malicious format string which contains a precious specifier (*) is passed and a huge minus value is also passed to the specifier, buffer underrun may be caused. In such situation, the result may contains heap, or the Ruby interpreter may crash.


CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick

When using the Basic authentication of WEBrick, clients can pass an arbitrary string as the user name. WEBrick outputs the passed user name intact to its log, then an attacker can inject malicious escape sequences to the log and dangerous control characters may be executed on a victim’s terminal emulator.


CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode

If a malicious string is passed to the decode method of OpenSSL::ASN1, buffer underrun may be caused and the Ruby interpreter may crash.


CVE-2017-14064: Heap exposure vulnerability in generating JSON

The generate method of JSON module optionally accepts an instance of JSON::Ext::Generator::State class. If a malicious instance is passed, the result may include contents of heap.

This bug is already fixed in bug 629484
Comment 1 Hans de Graaff gentoo-dev 2017-09-15 07:29:23 UTC
Fixed versions have been added:

dev-lang/ruby-2.2.8
dev-lang/ruby-2.3.5
dev-lang/ruby-2.4.2

Only the 2.2 slot is stable, so we can proceed with marking dev-lang/ruby-2.2.8 stable.
Comment 2 Tobias Klausmann gentoo-dev 2017-09-15 15:40:17 UTC
Stable on alpha.
Comment 3 Sergei Trofimovich gentoo-dev 2017-09-16 11:09:23 UTC
ia64 stable
Comment 4 Sergei Trofimovich gentoo-dev 2017-09-16 19:14:03 UTC
hppa stable
Comment 5 Markus Meier gentoo-dev 2017-09-18 04:30:47 UTC
arm stable
Comment 6 Sergei Trofimovich gentoo-dev 2017-09-23 12:42:14 UTC
ppc64 stable
Comment 7 Sergei Trofimovich gentoo-dev 2017-09-23 19:47:55 UTC
ppc stable
Comment 8 Manuel Rüger gentoo-dev 2017-10-02 12:54:25 UTC
amd64 stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2017-10-02 23:45:33 UTC
x86 stable


@ Maintainer(s): Please cleanup!
Comment 10 Hans de Graaff gentoo-dev 2017-10-03 05:27:26 UTC
Vulnerable versions have been removed.
Comment 11 D'juan McDonald (domhnall) 2017-10-16 18:47:36 UTC
@security, please vote on GLSA, thank you.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-10-18 00:54:49 UTC
This issue was resolved and addressed in
 GLSA 201710-18 at https://security.gentoo.org/glsa/201710-18
by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Sergei Trofimovich gentoo-dev 2017-11-30 20:10:49 UTC
sparc stable (thanks to Rolf Eike Beer)