Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 668904 (CVE-2018-16395, CVE-2018-16396)

Summary: <dev-lang/ruby-2.3.8: multiple vulnerabilities (CVE-2018-{16395, 16396})
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ruby
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
dev-lang/ruby-2.3.8
Runtime testing required: ---

Description Hans de Graaff gentoo-dev Security 2018-10-18 05:30:37 UTC
https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/

The equality check of OpenSSL::X509::Name is not correctly in openssl extension library bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2018-16395.
Details

An instance of OpenSSL::X509::Name contains entities such as CN, C and so on. Some two instances of OpenSSL::X509::Name are equal only when all entities are exactly equal. However, there is a bug that the equality check is not correct if the value of an entity of the argument (right-hand side) starts with the value of the receiver (left-hand side). So, if a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal.

It is strongly recommended for Ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible.
Affected Versions

    Ruby 2.3 series: 2.3.7 and earlier
    Ruby 2.4 series: 2.4.4 and earlier
    Ruby 2.5 series: 2.5.1 and earlier
    Ruby 2.6 series: 2.6.0-preview2 and earlier
    current trunk and earlier


https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/

In Array#pack and String#unpack with some formats, the tainted flags of the original data are not propagated to the returned string/array. This vulnerability has been assigned the CVE identifier CVE-2018-16396.
Details

Array#pack method converts the receiver’s contents into a string with specified format. If the receiver contains some tainted objects, the returned string also should be tainted. String#unpack method which converts the receiver into an array also should propagate its tainted flag to the objects contained in the returned array. But, with B, b, H and h directives, the tainted flags are not propagated. So, if a script processes unreliable inputs by Array#pack and/or String#unpack with these directives and checks the reliability with tainted flags, the check might be wrong.

All users running an affected release should upgrade immediately.
Affected Versions

    Ruby 2.3 series: 2.3.7 and earlier
    Ruby 2.4 series: 2.4.4 and earlier
    Ruby 2.5 series: 2.5.1 and earlier
    Ruby 2.6 series: 2.6.0-preview2 and earlier
    prior to trunk revision r65125
Comment 1 Larry the Git Cow gentoo-dev 2018-10-18 05:36:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b36cedbaf5692a91b54f4716e3822d71cf89303

commit 3b36cedbaf5692a91b54f4716e3822d71cf89303
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2018-10-18 05:35:57 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2018-10-18 05:36:12 +0000

    dev-lang/ruby: add 2.4.5
    
    Bug: https://bugs.gentoo.org/668904
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>
    Package-Manager: Portage-2.3.49, Repoman-2.3.11

 dev-lang/ruby/Manifest          |   1 +
 dev-lang/ruby/ruby-2.4.5.ebuild | 229 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 230 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2018-10-19 05:35:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e220eddf18fd68d86b911c75b1d4ef17e25d4cea

commit e220eddf18fd68d86b911c75b1d4ef17e25d4cea
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2018-10-19 05:34:00 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2018-10-19 05:34:00 +0000

    dev-lang/ruby: add 2.5.3
    
    Bug: https://bugs.gentoo.org/668904
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>
    Package-Manager: Portage-2.3.49, Repoman-2.3.11

 dev-lang/ruby/Manifest          |   1 +
 dev-lang/ruby/ruby-2.5.3.ebuild | 224 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 225 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2018-10-19 13:32:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b65d79153da9e846568e86b9d9f9818a22fefba4

commit b65d79153da9e846568e86b9d9f9818a22fefba4
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2018-10-19 13:31:21 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2018-10-19 13:31:40 +0000

    dev-lang/ruby: add 2.3.8
    
    Bug: https://bugs.gentoo.org/668904
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>
    Package-Manager: Portage-2.3.49, Repoman-2.3.11

 dev-lang/ruby/Manifest          |   2 +
 dev-lang/ruby/ruby-2.3.8.ebuild | 242 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 244 insertions(+)
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-10-21 18:23:40 UTC
amd64 stable
Comment 5 Rolf Eike Beer archtester 2018-10-23 21:10:55 UTC
sparc stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-26 00:54:21 UTC
x86 stable
Comment 7 Matt Turner gentoo-dev 2018-10-26 05:37:41 UTC
ppc/ppc64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-29 23:42:23 UTC
ia64 stable
Comment 9 Markus Meier gentoo-dev 2018-10-31 17:16:08 UTC
arm stable
Comment 10 Matt Turner gentoo-dev 2018-11-03 05:33:57 UTC
alpha stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-07 00:06:15 UTC
hppa stable
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-11 16:44:33 UTC
s390 stable
Comment 13 Hans de Graaff gentoo-dev Security 2018-12-11 17:15:43 UTC
Cleanup done.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2018-12-11 17:28:19 UTC
(In reply to Hans de Graaff from comment #13)
> Cleanup done.

Thanks, Hans!