Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629484 (CVE-2017-14064) - <dev-lang/ruby-2.2.7-r4: through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory (CVE-2017-14064)
Summary: <dev-lang/ruby-2.2.7-r4: through 2.2.7, 2.3.x through 2.3.4, and 2.4.x throug...
Status: RESOLVED FIXED
Alias: CVE-2017-14064
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugs.ruby-lang.org/issues/13853
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: CVE-2017-0898, CVE-2017-10784, CVE-2017-14033
Blocks:
  Show dependency tree
 
Reported: 2017-08-31 19:17 UTC by D'juan McDonald (domhnall)
Modified: 2018-07-28 16:12 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/ruby-2.2.7-r4 dev-ruby/json-1.8.6-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-08-31 19:17:22 UTC
From ${URL}:

Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.

Upstream Bug: https://bugs.ruby-lang.org/issues/13853

Upstream Patch: https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85

CVE Details: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14064

@maintainer(s), after bump, please follow procedure to stabilize if needed.
Comment 1 Hans de Graaff gentoo-dev 2017-09-01 07:12:54 UTC
This also affects dev-ruby/json. This is fixed in dev-ruby/json-2.1.0 and I have just backported this to dev-ruby/json-1.8.6-r1.
Comment 2 Hans de Graaff gentoo-dev 2017-09-01 08:57:51 UTC
Fixed dev-lang/ruby revisions:

dev-lang/ruby-2.2.7-r4
dev-lang/ruby-2.3.4-r4
dev-lang/ruby-2.4.1-r4
Comment 3 Stabilization helper bot gentoo-dev 2017-09-01 09:00:33 UTC
An automated check of this bug failed - the following atom is unknown:

dev-lang/ruby-2.2.7-r4

Please verify the atom list.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-01 12:40:19 UTC
(In reply to Hans de Graaff from comment #2)
> Fixed dev-lang/ruby revisions:
> 
> dev-lang/ruby-2.2.7-r4
> dev-lang/ruby-2.3.4-r4
> dev-lang/ruby-2.4.1-r4

Hans, git push?
Comment 5 Hans de Graaff gentoo-dev 2017-09-01 13:56:59 UTC
(In reply to Aaron Bauman from comment #4)

> Hans, git push?

Yes :-/
Comment 6 Sergei Trofimovich gentoo-dev 2017-09-02 13:30:03 UTC
ia64 stable
Comment 7 Tobias Klausmann gentoo-dev 2017-09-04 10:49:27 UTC
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2017-09-07 18:41:54 UTC
arm stable
Comment 9 Sergei Trofimovich gentoo-dev 2017-09-11 07:54:38 UTC
ppc64 stable
Comment 10 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-12 23:40:31 UTC
amd64 tested, ok
Comment 11 Hans de Graaff gentoo-dev 2017-09-13 05:32:50 UTC
(In reply to Christopher Díaz from comment #10)
> amd64 tested, ok

amd64 stable
Comment 12 Hans de Graaff gentoo-dev 2017-09-15 07:31:32 UTC
This security bug is superseded by bug 631034
Comment 13 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-15 15:47:31 UTC
Please complete stabilization of =dev-ruby/json-1.8.6-r1 here, and please go to Depends bug for the Ruby!
Comment 14 Sergei Trofimovich gentoo-dev 2017-09-17 16:51:52 UTC
hppa stable
Comment 15 Sergei Trofimovich gentoo-dev 2017-09-24 18:51:42 UTC
ppc stable

Last arch is done here.
Comment 16 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-24 19:43:49 UTC
@x86 please test and mark stable dev-ruby/json-1.8.6-r1
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2017-10-18 00:54:40 UTC
This issue was resolved and addressed in
 GLSA 201710-18 at https://security.gentoo.org/glsa/201710-18
by GLSA coordinator Aaron Bauman (b-man).