ruby2.3: CVE-2015-9096: SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP

Debian Bug report logs - #864860
ruby2.3: CVE-2015-9096: SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ruby2.3: CVE-2015-9096: SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP

Date: Fri, 16 Jun 2017 09:17:37 +0200

Source: ruby2.3
Version: 2.3.3-1
Severity: important
Tags: upstream security patch

Hi,

the following vulnerability was published for ruby2.3.

CVE-2015-9096[0]:
| Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection
| via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated
| by CRLF sequences immediately before and after a DATA substring.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-9096
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9096
[1] https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee

Regards,
Salvatore

Message #10 received at 864860@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: 842432@bugs.debian.org, 864860@bugs.debian.org, 873802@bugs.debian.org, 873906@bugs.debian.org

Cc: team@security.debian.org, Christian Hofstaedtler <zeha@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, Raphael Hertzog <hertzog@debian.org>

Subject: ruby2.3 security update

Date: Sat, 2 Sep 2017 22:43:28 -0300

[Message part 1 (text/plain, inline)]

Hello,

On Wed, Nov 16, 2016 at 02:48:03AM +0100, Christian Hofstaedtler wrote:
> Hi,
> 
> * Salvatore Bonaccorso <carnil@debian.org> [161116 01:46]:
> > Source: ruby2.3
> > [...]
> > [0] https://security-tracker.debian.org/tracker/CVE-2016-7798
> > [1] https://github.com/ruby/openssl/issues/49
> > [2] https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062
> 
> I'm attaching a potential patch against ruby2.3 2.3.2. Any review
> would be most welcome.

On Fri, Jun 16, 2017 at 09:17:37AM +0200, Salvatore Bonaccorso wrote:
> Source: ruby2.3
> Version: 2.3.3-1
> Severity: important
> Tags: upstream security patch
> 
> Hi,
> 
> the following vulnerability was published for ruby2.3.
> 
> CVE-2015-9096[0]:
> | Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection
> | via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated
> | by CRLF sequences immediately before and after a DATA substring.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2015-9096
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9096
> [1] https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee

On Thu, Aug 31, 2017 at 12:15:00PM +0200, Raphael Hertzog wrote:
> Source: ruby2.3
> X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
> Severity: important
> Tags: security
> 
> Hi,
> 
> the following vulnerabilities were published for ruby2.3. They affect rubygems
> more specifically.
> 
> CVE-2017-0902[0]:
> DNS issue
> 
> CVE-2017-0901[1]:
> overwrite any file
> 
> CVE-2017-0900[2]:
> query command
> 
> CVE-2017-0899[3]:
> ANSI escape issue
> 
> Some patches are available here:
> https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
> 
> The fixes should also be available in (upcoming) ruby 2.3.5 and ruby 2.4.2.
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-0902
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902
> [1] https://security-tracker.debian.org/tracker/CVE-2017-0901
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901
> [2] https://security-tracker.debian.org/tracker/CVE-2017-0900
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0900
> [3] https://security-tracker.debian.org/tracker/CVE-2017-0899
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899
> 
> Please adjust the affected versions in the BTS as needed.

On Fri, Sep 01, 2017 at 07:24:24AM +0200, Salvatore Bonaccorso wrote:
> Source: ruby2.3
> Version: 2.3.3-1
> Severity: grave
> Tags: upstream patch security
> 
> Hi,
> 
> the following vulnerability was published for ruby2.3.
> 
> CVE-2017-14064[0]:
> | Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can
> | expose arbitrary memory during a JSON.generate call. The issues lies in
> | using strdup in ext/json/ext/generator/generator.c, which will stop
> | after encountering a '\0' byte, returning a pointer to a string of
> | length zero, which is not the length stored in space_len.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-14064
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064
> [1] https://bugs.ruby-lang.org/issues/13853
> [2] https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85


I have prepared an updated ruby2.3 package that handles all of the above
issues, which are all pending security bugs in the BTS. Package builds
fine and autopkgtest passes, what is good because all of the patches
applied include automated tests for the issues they fix.

Attached you will find a full diff between the version in stretch and
the one I intend to upload, plus the individual patches for your
convenience. Security team: I'm waiting on your ACK.

Fixing this in unstable/buster will take longer, because the current
version there does not build with GCC 7. Take into account that ruby2.3
won't be shipped in buster anyway, it will only stay there until we
transition to ruby2.5.

[ruby2.3.diff (text/x-diff, attachment)]

[0001-Fix-arbitrary-heap-exposure-problem.patch (text/x-diff, attachment)]

[0002-Fix-multiple-security-vulnerabilities.patch (text/x-diff, attachment)]

[0003-Fix-SMTP-command-injection.patch (text/x-diff, attachment)]

[0004-cipher-don-t-set-dummy-encryption-key-in-Cipher-init.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 864860-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: 864860-close@bugs.debian.org

Subject: Bug#864860: fixed in ruby2.3 2.3.3-1+deb9u1

Date: Sat, 23 Sep 2017 10:03:25 +0000

Source: ruby2.3
Source-Version: 2.3.3-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
ruby2.3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864860@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated ruby2.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 02 Sep 2017 15:11:07 -0300
Source: ruby2.3
Binary: ruby2.3 libruby2.3 ruby2.3-dev ruby2.3-doc ruby2.3-tcltk
Architecture: source amd64 all
Version: 2.3.3-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Antonio Terceiro <terceiro@debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
 libruby2.3 - Libraries necessary to run Ruby 2.3
 ruby2.3    - Interpreter of object-oriented scripting language Ruby
 ruby2.3-dev - Header files for compiling extension modules for the Ruby 2.3
 ruby2.3-doc - Documentation for Ruby 2.3
 ruby2.3-tcltk - Ruby/Tk for Ruby 2.3
Closes: 842432 864860 873802 873906
Changes:
 ruby2.3 (2.3.3-1+deb9u1) stretch-security; urgency=high
 .
   * Fix arbitrary heap exposure problem in the JSON library (Closes: #873906)
     [CVE-2017-14064]
     - Backported for Ruby 2.3 by Hiroshi SHIBATA <hsbt@ruby-lang.org>
       https://bugs.ruby-lang.org/issues/13853
   * Fix multiple security vulnerabilities in Rubygems (Closes: #873802)
     - Fix a DNS request hijacking vulnerability. Discovered by Jonathan
       Claudius, fix by Samuel Giddins.
       [CVE-2017-0902]
     - Fix an ANSI escape sequence vulnerability. Discovered by Yusuke Endoh,
       fix by Evan Phoenix.
       [CVE-2017-0899]
     - Fix a DOS vulernerability in the query command. Discovered by Yusuke
       Endoh, fix by Samuel Giddins.
       [CVE-2017-0900]
     - Fix a vulnerability in the gem installer that allowed a malicious gem to
       overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel
       Giddins.
       [CVE-2017-0901]
   * Fix SMTP comment injection (Closes: #864860)
     Patch by Shugo Maeda <shugo@ruby-lang.org>
     [CVE-2015-9096]
   * Fix IV Reuse in GCM Mode (Closes: #842432)
     Patch by Kazuki Yamaguchi <k@rhe.jp>
     [CVE-2016-7798]
Checksums-Sha1:
 1fb0abe2fa93e6436dc5982a9624e321a1233aae 2500 ruby2.3_2.3.3-1+deb9u1.dsc
 f47b1a3beb1dee13355a3d5e6f23ee7e03428e8b 8359724 ruby2.3_2.3.3.orig.tar.xz
 abd1db48d6701ab6ac61cb1f1db92a2aecac2db9 98172 ruby2.3_2.3.3-1+deb9u1.debian.tar.xz
 dafcaefc02b5722139f683a4dfe5c4e38769a8a9 4603116 libruby2.3-dbgsym_2.3.3-1+deb9u1_amd64.deb
 2e5b14ba3b415142c6350ae38ab633e01f8c753f 3108522 libruby2.3_2.3.3-1+deb9u1_amd64.deb
 0cb65c2e64e33350351288008414700b290a522b 5220 ruby2.3-dbgsym_2.3.3-1+deb9u1_amd64.deb
 6c44b7b4b0ffc85ce3e23a39e1aede5b6abf31d9 1178900 ruby2.3-dev_2.3.3-1+deb9u1_amd64.deb
 35cee840c752b5a8c21087a475689b69def529b6 3511436 ruby2.3-doc_2.3.3-1+deb9u1_all.deb
 0c0e7da85dc7ca1a14ff7e19b149131107eacd25 193490 ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u1_amd64.deb
 9a6bbf6b4b3c1c330b8be3d8e15e86ff8467fe0f 421470 ruby2.3-tcltk_2.3.3-1+deb9u1_amd64.deb
 cc6a199ce58097ad7a2da07ea610be740a277043 10332 ruby2.3_2.3.3-1+deb9u1_amd64.buildinfo
 9da59f9a6d4e24688e477b39780280ec2cc866ac 186954 ruby2.3_2.3.3-1+deb9u1_amd64.deb
Checksums-Sha256:
 69185b16843692fe1395a94b91969b420393a51c31a6ffa7b6f6b45c92df7a9d 2500 ruby2.3_2.3.3-1+deb9u1.dsc
 799796bb740832c7257f45089fdbd9cd57686cac033f88d0b078063b6d3d77ad 8359724 ruby2.3_2.3.3.orig.tar.xz
 78376c991383f677a53a52f757304eb93c3acd3c5f825724c632d828414e032d 98172 ruby2.3_2.3.3-1+deb9u1.debian.tar.xz
 793d427ef5ba758f6ecb82c76fabeee88c8946345ef9a721056725dc9034465d 4603116 libruby2.3-dbgsym_2.3.3-1+deb9u1_amd64.deb
 10fb7c8406b1ba69ca185526269205be29eb3c29274ae2e7b418146b2f2f5d27 3108522 libruby2.3_2.3.3-1+deb9u1_amd64.deb
 b774a20547be1556268b82106b4f245e501914d6df4a2259d2fd4c7cb05da264 5220 ruby2.3-dbgsym_2.3.3-1+deb9u1_amd64.deb
 97b623e5c6c538a1c7120311a8e95d602f89005a7bc29f96026c5616756c3d32 1178900 ruby2.3-dev_2.3.3-1+deb9u1_amd64.deb
 a97a93249672fb1e26d23fc7c1bf85fa0b586f2126f03f4d7c6aa3f182c01c76 3511436 ruby2.3-doc_2.3.3-1+deb9u1_all.deb
 4268d6d3d6110cc1468ba85ffa732e692a318102a74a7122e26ebe88895504fc 193490 ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u1_amd64.deb
 5ec80cbf9b6e9346e06c7cd83ea16125a66b24948dab9267249273ed91dee11f 421470 ruby2.3-tcltk_2.3.3-1+deb9u1_amd64.deb
 18463b0683fc134546ded092743e5be6f75ef363d7753514721fa001559d3803 10332 ruby2.3_2.3.3-1+deb9u1_amd64.buildinfo
 f9bbea7a6f167d7f10c922a5d399a4936e3219e8b25beff9be851d1ee40a0aea 186954 ruby2.3_2.3.3-1+deb9u1_amd64.deb
Files:
 0152ca7b75f4ed5612513e008f31f924 2500 ruby optional ruby2.3_2.3.3-1+deb9u1.dsc
 c331a69a24e5ed52d7ccecf08e4ed5e8 8359724 ruby optional ruby2.3_2.3.3.orig.tar.xz
 74e6dc3344da27ba22ed901f73fdefe4 98172 ruby optional ruby2.3_2.3.3-1+deb9u1.debian.tar.xz
 8ea249602ed656ec0bb32cf064cf5d55 4603116 debug extra libruby2.3-dbgsym_2.3.3-1+deb9u1_amd64.deb
 13b922ec34256c9d1b76cd23f8b36f61 3108522 libs optional libruby2.3_2.3.3-1+deb9u1_amd64.deb
 3d40e233f9a45dc26e544a5acc2a4bc8 5220 debug extra ruby2.3-dbgsym_2.3.3-1+deb9u1_amd64.deb
 e19763cc77af141ace5c139fd6cb84f4 1178900 ruby optional ruby2.3-dev_2.3.3-1+deb9u1_amd64.deb
 39b9d578f359edfbb04150528afb589a 3511436 doc optional ruby2.3-doc_2.3.3-1+deb9u1_all.deb
 dd71ad4d3a98959574a118cfb8c633a2 193490 debug extra ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u1_amd64.deb
 9d1a1ae5e09a8835623ee391fac2645c 421470 ruby optional ruby2.3-tcltk_2.3.3-1+deb9u1_amd64.deb
 8624d37085286d702159d5a3785605a8 10332 ruby optional ruby2.3_2.3.3-1+deb9u1_amd64.buildinfo
 77dcce2295af65a8d8f2c8b0efb49e31 186954 ruby optional ruby2.3_2.3.3-1+deb9u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAlmsm+sACgkQ/A2xu81G
C94mwBAAnCog4DRBL8dATLQt048SzDTbOctB7cnQO6xIFlI+5jflxFkfNwRLmn+v
KNWiNT2+6Wp6SIDT/kVRNNx0tQBlh6F92kURYiPt/EApL2JDiB+VMA37Qjx5QdPf
a27F/vxQ+vrPhk6ffCX3JOUQ3cVhWUVuZUsKs1X55bUOvdwx8LRRCcRExRtLfE6h
kMcoMsVJlwFQKqTaXI16nQvglZxTYA+pUbN6UJjnmIuFOuNlHk/nj3liU024UUYE
dT6s4i10JXb9XJ0/NLrBJb1Wggv0MLzfK/uxWEJFd2cb21O9X7L4RlY8Nx0LHbgg
KGXdMlujX/lrOqcPu2QoejPGnjg5w0vEXdtkgZdRHW8I5uWaBNRhzOwL6Zx0tMIH
NniovcBSfVqgeyNloWaBiaS8TfH3GDWk31fnOs6HUsToJmDSgpydiuLvhk6P35in
sbm1kq3v0msrW9NBTGirn/f/gQPiLxejAib6zX3IVj+GkNqmVm1zrE9y7HxTPOir
DQbEMuMa3SR5jdCLWr+yUuaSY3wpgoMM8fDYUuG/DXZHoQypuyR5X5Y+g6286gJh
xUgxu8YqGTRaglzG4OnVg2HgjdL3vvM5ztzHKAmEfwz4CmzAB8fHMmD/zYEPLUZB
fl6S/PO5GcrQJLG/6Vpu0YH8/wfbSfwNreEAeI55zW7/ISm8P3g=
=TRQN
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.