From https://bugzilla.redhat.com/show_bug.cgi?id=1412680: Type Confusion exists in _cancel_eval Ruby’s TclTkIp class method. Attacker passing different type of object than String as “retval” argument can cause arbitrary code execution. References: http://www.talosintelligence.com/reports/TALOS-2016-0031/ Upstream patches: https://github.com/ruby/tk/commit/ebd0fc80d62eeb7b8556522256f8d035e013eb65 https://github.com/ruby/tk/commit/d098136e3f62a4879a7d7cd34bbd50f482ba3331 From https://bugzilla.redhat.com/show_bug.cgi?id=1412678: An exploitable heap overflow vulnerability exists in the Fiddle::Function.new “initialize” function functionality of Ruby. In Fiddle::Function.new “initialize” heap buffer “arg_types” allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow. References: http://www.talosintelligence.com/reports/TALOS-2016-0034/ Upstream patch: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@ Maintainer(s): Please tell us if we can start stabilization of =dev-lang/ruby-2.3.4-r1 and how you want to proceed with affected 2.2.x after stabilization.
The tcl/tk patches can be backported and have now been applied to ruby-2.2.7-r2. The impact of this security bug is very low since no code in the tree actually uses the tcl/tk extension. The patches for Fiddle cannot be backported. Note that ruby upstream is still supporting ruby 2.2 with security patches and upstream did not backport this themselves. My assumption is that this was not treated as a security issue, probably due to the reasons outlined in the redhat bug. As far as I can tell redhat also did not backport this code. We are also not ready yet to stable ruby 2.3. First ruby 2.2 needs to be stable on all arches, then we need to clean up ruby 2.1, and then we need to ensure that enough packages have a ruby23 target. My earliest estimate for a ruby 2.3 stable bug is sometime in September. My suggestion is to not treat the Fiddle bug as a security issue that needs to be fixed, and keep ruby 2.2 as the current stable version. We can stable ruby 2.2.7-r2 to include the tcltk patchset, but I'd like to keep this revision in testing for a week or so because other patches were also added.
@ Maintainer(s): So can you please backport the fix to 2.2.x that we can proceed?
(In reply to Thomas Deutschmann from comment #3) > @ Maintainer(s): So can you please backport the fix to 2.2.x that we can > proceed? CVE-2016-2337 was already backported in 2.2.7-r2, I'll add arches for a stable request. CVE-2016-2339 won't be backported, see comment 2.
An automated check of this bug failed - repoman reported dependency errors (12 lines truncated): > dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227'] > dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]'] > dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
arm stable
This stable request has been obsoleted by bug 621878
(In reply to Hans de Graaff from comment #8) > This stable request has been obsoleted by bug 621878 Whiteboard updated to reflect the new status. Coordinated with K_F. Gentoo Security Padawan ChrisADR
An automated check of this bug failed - repoman reported dependency errors (27 lines truncated): > dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227'] > dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]'] > dependency.bad dev-lang/ruby/ruby-2.2.7-r2.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
This issue was resolved and addressed in GLSA 201710-18 at https://security.gentoo.org/glsa/201710-18 by GLSA coordinator Aaron Bauman (b-man).