Debian Bug report logs -
#851161
ruby2.1: CVE-2016-2337 CVE-2016-2339
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 12 Jan 2017 15:15:01 UTC
Severity: grave
Tags: security
Found in version ruby2.1/2.1.5-2+deb8u3
Fixed in version 2.1.5-2+deb8u5
Done: Moritz Mühlenhoff <jmm@inutil.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Antonio Terceiro <terceiro@debian.org>
:
Bug#851161
; Package src:ruby2.3
.
(Thu, 12 Jan 2017 15:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Antonio Terceiro <terceiro@debian.org>
.
(Thu, 12 Jan 2017 15:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby2.3
Severity: grave
Tags: security
Hi,
this has been assigned CVE-2016-2339: http://www.talosintelligence.com/reports/TALOS-2016-0034/
Patch is here: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>
:
Bug#851161
; Package src:ruby2.3
.
(Thu, 12 Jan 2017 15:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>
.
(Thu, 12 Jan 2017 15:21:03 GMT) (full text, mbox, link).
Message #10 received at 851161@bugs.debian.org (full text, mbox, reply):
On Thu, Jan 12, 2017 at 04:10:44PM +0100, Moritz Muehlenhoff wrote:
> Source: ruby2.3
> Severity: grave
> Tags: security
>
> Hi,
> this has been assigned CVE-2016-2339: http://www.talosintelligence.com/reports/TALOS-2016-0034/
>
> Patch is here: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42
Also:
http://www.talosintelligence.com/reports/TALOS-2016-0031/
Cheers,
Moritz
Changed Bug title to 'ruby2.3: CVE-2016-2337 CVE-2016-2339' from 'CVE-2016-2339'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 12 Jan 2017 15:39:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>
:
Bug#851161
; Package src:ruby2.3
.
(Fri, 20 Jan 2017 00:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hofstaedtler <zeha@debian.org>
:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>
.
(Fri, 20 Jan 2017 00:15:06 GMT) (full text, mbox, link).
Message #17 received at 851161@bugs.debian.org (full text, mbox, reply):
Control: reassign -1 ruby2.1
Control: found -1 2.1.5-2+deb8u3
Hi,
* Moritz Muehlenhoff <jmm@debian.org> [170120 00:05]:
> this has been assigned CVE-2016-2339: http://www.talosintelligence.com/reports/TALOS-2016-0034/
>
> Patch is here: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42
If I'm reading all those right, this is actually fixed since 2.3.0;
this issue is likely open in 2.1.x. Reassigning.
For the TclTk issue, looks like this upstream patch:
https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab
If this is the correct patch, 2.3.0 has this fixed, but 2.1.x needs
a patch.
Would be good if somebody could crosscheck this.
Thanks,
--
christian hofstaedtler <zeha@debian.org>
Bug reassigned from package 'src:ruby2.3' to 'ruby2.1'.
Request was from Christian Hofstaedtler <zeha@debian.org>
to 851161-submit@bugs.debian.org
.
(Fri, 20 Jan 2017 00:15:06 GMT) (full text, mbox, link).
Marked as found in versions ruby2.1/2.1.5-2+deb8u3.
Request was from Christian Hofstaedtler <zeha@debian.org>
to 851161-submit@bugs.debian.org
.
(Fri, 20 Jan 2017 00:15:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>
:
Bug#851161
; Package ruby2.1
.
(Fri, 20 Jan 2017 06:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>
.
(Fri, 20 Jan 2017 06:09:03 GMT) (full text, mbox, link).
Message #26 received at 851161@bugs.debian.org (full text, mbox, reply):
On Fri, Jan 20, 2017 at 01:13:41AM +0100, Christian Hofstaedtler wrote:
> Control: reassign -1 ruby2.1
> Control: found -1 2.1.5-2+deb8u3
>
> Hi,
>
> * Moritz Muehlenhoff <jmm@debian.org> [170120 00:05]:
> > this has been assigned CVE-2016-2339: http://www.talosintelligence.com/reports/TALOS-2016-0034/
> >
> > Patch is here: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42
>
> If I'm reading all those right, this is actually fixed since 2.3.0;
> this issue is likely open in 2.1.x. Reassigning.
Confirmed for 2.1.x, the POC in a jessie VM:
$ ruby CVE-2016-2339.rb
Start
args array size : 1
increase size of array
New args array size is : 11
*** Error in `ruby': free(): invalid next size (fast): 0x0000000000ea3590 ***
Aborted
It was confusing that TALOS report mentions that it was tested with 2.3.0 dev,
but this might then be right, the above commit is included ongoing from 2.3.0.
> For the TclTk issue, looks like this upstream patch:
> https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab
> If this is the correct patch, 2.3.0 has this fixed, but 2.1.x needs
> a patch.
Thanks added the commit as well, and the fixed version to the tracker. I
*think*, although a problem in the source, this might not rally need an update
in jessie via a DSA, since the issue is incombination with cancel_eval which is
supported in Tcl/Tk8.6 or later, but we don't have that for jessie. So I would
tend to just mark that one as no-dsa at least. Or do I miss something?
Regards,
Salvatore
Changed Bug title to 'ruby2.1: CVE-2016-2337 CVE-2016-2339' from 'ruby2.3: CVE-2016-2337 CVE-2016-2339'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 20 Jan 2017 06:09:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>
:
Bug#851161
; Package ruby2.1
.
(Fri, 20 Jan 2017 09:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hofstaedtler <zeha@debian.org>
:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>
.
(Fri, 20 Jan 2017 09:57:07 GMT) (full text, mbox, link).
Message #33 received at 851161@bugs.debian.org (full text, mbox, reply):
* Salvatore Bonaccorso <carnil@debian.org> [170120 09:48]:
> > For the TclTk issue, looks like this upstream patch:
> > https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab
> > If this is the correct patch, 2.3.0 has this fixed, but 2.1.x needs
> > a patch.
>
> Thanks added the commit as well, and the fixed version to the tracker. I
> *think*, although a problem in the source, this might not rally need an update
> in jessie via a DSA, since the issue is incombination with cancel_eval which is
> supported in Tcl/Tk8.6 or later, but we don't have that for jessie. So I would
> tend to just mark that one as no-dsa at least. Or do I miss something?
Right; I didn't remember we are building with tcl8.5 in jessie. So
looks like no-dsa for that, yes. It looks like the patch might just
apply as is to ruby2.1, so when doing an update we could try
sticking it in just because.
Best regards,
-ch
--
christian hofstaedtler <zeha@debian.org>
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>
:
Bug#851161
; Package ruby2.1
.
(Fri, 20 Jan 2017 10:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>
.
(Fri, 20 Jan 2017 10:18:05 GMT) (full text, mbox, link).
Message #38 received at 851161@bugs.debian.org (full text, mbox, reply):
Hi!
On Fri, Jan 20, 2017 at 10:55:32AM +0100, Christian Hofstaedtler wrote:
> * Salvatore Bonaccorso <carnil@debian.org> [170120 09:48]:
> > > For the TclTk issue, looks like this upstream patch:
> > > https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab
> > > If this is the correct patch, 2.3.0 has this fixed, but 2.1.x needs
> > > a patch.
> >
> > Thanks added the commit as well, and the fixed version to the tracker. I
> > *think*, although a problem in the source, this might not rally need an update
> > in jessie via a DSA, since the issue is incombination with cancel_eval which is
> > supported in Tcl/Tk8.6 or later, but we don't have that for jessie. So I would
> > tend to just mark that one as no-dsa at least. Or do I miss something?
>
> Right; I didn't remember we are building with tcl8.5 in jessie. So
> looks like no-dsa for that, yes. It looks like the patch might just
> apply as is to ruby2.1, so when doing an update we could try
> sticking it in just because.
So right, agree we can in any update include that as well. Now the
question is if the remaining CVE warrant a DSA on it's own or if it is
sufficient to update via a point release.
AFAICT, as well for CVE-2016-2339, to exploit the flaw one would need
to execute untrusted ruby code, or, passing an untrusted class to the
Fiddle module. So I'm not sure if CVE-2016-2339 would as well be
rather "no-dsa".
@Moritz, strong opinion on that? If noth I would say to mark all of
the ruby2.1 CVEs open (CVE-2016-7798, CVE-2016-2337 and CVE-2016-2339)
as no-dsa and include them (if you can) in the next point release or
for any future ruby2.1 DSA.
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>
:
Bug#851161
; Package ruby2.1
.
(Fri, 20 Jan 2017 10:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>
.
(Fri, 20 Jan 2017 10:27:03 GMT) (full text, mbox, link).
Message #43 received at 851161@bugs.debian.org (full text, mbox, reply):
On Fri, Jan 20, 2017 at 11:14:57AM +0100, Salvatore Bonaccorso wrote:
> @Moritz, strong opinion on that? If noth I would say to mark all of
> the ruby2.1 CVEs open (CVE-2016-7798, CVE-2016-2337 and CVE-2016-2339)
> as no-dsa and include them (if you can) in the next point release or
> for any future ruby2.1 DSA.
Agreed.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>
:
Bug#851161
; Package ruby2.1
.
(Fri, 20 Jan 2017 14:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>
.
(Fri, 20 Jan 2017 14:39:06 GMT) (full text, mbox, link).
Message #48 received at 851161@bugs.debian.org (full text, mbox, reply):
On Fri, Jan 20, 2017 at 11:25:22AM +0100, Moritz Muehlenhoff wrote:
> On Fri, Jan 20, 2017 at 11:14:57AM +0100, Salvatore Bonaccorso wrote:
> > @Moritz, strong opinion on that? If noth I would say to mark all of
> > the ruby2.1 CVEs open (CVE-2016-7798, CVE-2016-2337 and CVE-2016-2339)
> > as no-dsa and include them (if you can) in the next point release or
> > for any future ruby2.1 DSA.
>
> Agreed.
perfect, thanks. Marked as no-dsa.
Regards,
Salvatore
Reply sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
You have taken responsibility.
(Mon, 03 Sep 2018 10:39:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Mon, 03 Sep 2018 10:39:05 GMT) (full text, mbox, link).
Message #53 received at 851161-done@bugs.debian.org (full text, mbox, reply):
Version: 2.1.5-2+deb8u5
All mentioned CVEs are fixed via DLA-1480-1.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 02 Oct 2018 07:30:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:49:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.