Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 633904 (CVE-2017-0903) - <dev-ruby/rubygems-2.6.14 rce via unsafe yaml deserialization (CVE-2017-0903)
Summary: <dev-ruby/rubygems-2.6.14 rce via unsafe yaml deserialization (CVE-2017-0903)
Status: RESOLVED FIXED
Alias: CVE-2017-0903
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://blog.rubygems.org/2017/10/09/2...
Whiteboard: C2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-10 04:32 UTC by Hank Leininger
Modified: 2017-10-26 01:02 UTC (History)
1 user (show)

See Also:
Package list:
dev-ruby/rubygems-2.6.14
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2017-10-10 04:32:27 UTC
https://marc.info/?l=oss-security&m=150760474431546&w=2

"# Unsafe Object Deserialization Vulnerability in RubyGems

There is a possible unsafe object desrialization vulnerability in RubyGems.
It is possible for YAML deserialization of gem specifications to bypass class
white lists.  Specially crafted serialized objects can possibly be used to
escalate to remote code execution. This vulnerability has been assigned the
CVE identifier CVE-2017-0903.

Versions Affected:  >= 2.0.0.
Not affected:       < 2.0.0
Fixed Versions:     2.6.14"

portage contains only dev-ruby/rubygems-2.6.13, a vulnerable version.

I've done a test emerge w/nothing but renaming the ebuild to 2.6.14, and it installed cleanly, although I did not do anything using the new gem yet.

"Exploitation" is not all that meaningful or interesting when a client is installing a gem from an untrust(ed|worthy) source, because you're about to be executing their code anyway.  But a server/service that processes uploaded gems w/o installing them, could be tricked into executing code.
Comment 1 Hans de Graaff gentoo-dev 2017-10-10 04:48:51 UTC
dev-ruby/rubygems-2.6.14 has been added.

Note that the impact of this issue is very low for Gentoo users, because this security bug only applies when running your own rubygems server where you are allowing submissions from unknown sources. Most likely only rubygems.org itself falls in that category.
Comment 2 D'juan McDonald (domhnall) 2017-10-11 22:18:44 UTC
(In reply to Hans de Graaff from comment #1)
>dev-ruby/rubygems-2.6.14 has been added.

Thank you, when ready feel free to call for stabilization...
Comment 3 Hans de Graaff gentoo-dev 2017-10-15 06:14:47 UTC
It seems to me that the classification should be C2 because the vulnerability is only relevant when someone runs a rubygems server and this is a very unlikely case (certainly less than 5%).
Comment 4 Sergei Trofimovich gentoo-dev 2017-10-15 10:00:27 UTC
hppa stable
Comment 5 Sergei Trofimovich gentoo-dev 2017-10-15 12:41:24 UTC
ia64 stable
Comment 6 Sergei Trofimovich gentoo-dev 2017-10-15 12:55:49 UTC
ppc/ppc64 stable
Comment 7 Thomas Deutschmann gentoo-dev Security 2017-10-15 21:44:46 UTC
x86 stable
Comment 8 Manuel Rüger (RETIRED) gentoo-dev 2017-10-20 15:11:22 UTC
Stable on amd64
Comment 9 Tobias Klausmann gentoo-dev 2017-10-22 21:51:38 UTC
Stable on alpha.
Comment 10 Markus Meier gentoo-dev 2017-10-24 17:37:33 UTC
arm stable, all arches done.
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-24 19:40:42 UTC
Thank you all. I'm re-assigning to C2 since it's a Remote Code Execution when exploited, even if users must run its own RubyGems server.

@Security please vote.

GLSA Vote: Yes
Comment 12 Hans de Graaff gentoo-dev 2017-10-25 05:14:52 UTC
Cleanup done.
Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-26 01:02:16 UTC
(In reply to Hans de Graaff from comment #1)
> 
> Note that the impact of this issue is very low for Gentoo users, because
> this security bug only applies when running your own rubygems server where
> you are allowing submissions from unknown sources. Most likely only
> rubygems.org itself falls in that category.


Thank you, Hans, for the clarification and background.

After double checking the pre-requisites to exploit this vulnerability in Gentoo, we agree that there won't be a GLSA for this specific issue.

Tree is already clean and fixed.
 
Closing without a GLSA.