Debian Bug report logs -
#796344
CVE-2015-7551
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 21 Aug 2015 12:36:01 UTC
Severity: important
Tags: security
Found in versions ruby2.1/2.1.5-4, ruby2.1/2.1.5-2+deb8u2
Fixed in versions 2.1.5-4+rm, ruby2.1/2.1.5-2+deb8u3
Done: Petter Reinholdtsen <pere@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Antonio Terceiro <terceiro@debian.org>:
Bug#796344; Package ruby2.1.
(Fri, 21 Aug 2015 12:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Antonio Terceiro <terceiro@debian.org>.
(Fri, 21 Aug 2015 12:36:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ruby2.1
Version: 2.1.5-4
Severity: important
Tags: security
This has been assigned CVE-2009-5147:
http://seclists.org/oss-sec/2015/q3/222
Cheers,
Moritz
Bug 796344 cloned as bug 796551
Request was from Christian Hofstaedtler <zeha@debian.org>
to control@bugs.debian.org.
(Sat, 22 Aug 2015 13:21:08 GMT) (full text, mbox, link).
Bug 796344 cloned as bug 796577
Request was from Christian Hofstaedtler <christian@hofstaedtler.name>
to control@bugs.debian.org.
(Sat, 22 Aug 2015 18:15:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>:
Bug#796344; Package ruby2.1.
(Wed, 16 Dec 2015 23:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hofstaedtler <zeha@debian.org>:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>.
(Wed, 16 Dec 2015 23:12:04 GMT) (full text, mbox, link).
Message #14 received at 796344@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 CVE-2015-7551
Control: found -1 2.1.5-2+deb8u2
https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
Changed Bug title to 'CVE-2015-7551' from 'CVE-2009-5147'
Request was from Christian Hofstaedtler <zeha@debian.org>
to 796344-submit@bugs.debian.org.
(Wed, 16 Dec 2015 23:12:04 GMT) (full text, mbox, link).
Marked as found in versions ruby2.1/2.1.5-2+deb8u2.
Request was from Christian Hofstaedtler <zeha@debian.org>
to 796344-submit@bugs.debian.org.
(Wed, 16 Dec 2015 23:12:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>:
Bug#796344; Package ruby2.1.
(Wed, 16 Dec 2015 23:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hofstaedtler <zeha@debian.org>:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>.
(Wed, 16 Dec 2015 23:21:03 GMT) (full text, mbox, link).
Message #23 received at 796344@bugs.debian.org (full text, mbox, reply):
In 2.1 branch, the fix is in this commit:
https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>:
Bug#796344; Package ruby2.1.
(Sat, 02 Jan 2016 09:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>.
(Sat, 02 Jan 2016 09:30:05 GMT) (full text, mbox, link).
Message #28 received at 796344@bugs.debian.org (full text, mbox, reply):
[Christian Hofstaedtler]
> In 2.1 branch, the fix is in this commit:
>
> https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
According to <URL: https://security-tracker.debian.org/tracker/CVE-2009-5147 >,
this issue is fixed in squeeze but not wheezy and jessie. Are anyone working
on a update to stable?
I noticed this bug as it is the oldest CVE reported by debsecan on my stable
installations, and wondered why a CVE from 2009 was still not fixed in
Jessie. Note, I see from the Redhat bug report that the problem was recently
reintroduced, so it have not been around for 6 years.
--
Happy hacking
Petter Reinholdtsen
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>:
Bug#796344; Package ruby2.1.
(Sat, 02 Jan 2016 23:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hofstaedtler <zeha@debian.org>:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>.
(Sat, 02 Jan 2016 23:54:03 GMT) (full text, mbox, link).
Message #33 received at 796344@bugs.debian.org (full text, mbox, reply):
* Petter Reinholdtsen <pere@hungry.com> [160102 10:30]:
> [Christian Hofstaedtler]
> > In 2.1 branch, the fix is in this commit:
> >
> > https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
>
> According to <URL: https://security-tracker.debian.org/tracker/CVE-2009-5147 >,
> this issue is fixed in squeeze but not wheezy and jessie. Are anyone working
> on a update to stable?
Sorry, even tough this should be easy to do, so far nobody has found
the time to do it.
> I noticed this bug as it is the oldest CVE reported by debsecan on my stable
> installations, and wondered why a CVE from 2009 was still not fixed in
> Jessie. Note, I see from the Redhat bug report that the problem was recently
> reintroduced, so it have not been around for 6 years.
Yup, for 2.x, this bug was indeed re-introduced at a later date.
Best,
--
,''`. Christian Hofstaedtler <zeha@debian.org>
: :' : Debian Developer
`. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03
`-
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Sat, 05 Mar 2016 00:27:22 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 05 Mar 2016 00:27:22 GMT) (full text, mbox, link).
Message #38 received at 796344-done@bugs.debian.org (full text, mbox, reply):
Version: 2.1.5-4+rm
Dear submitter,
as the package ruby2.1 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/811434
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 02 Apr 2016 07:34:00 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Petter Reinholdtsen <pere@hungry.com>
to control@bugs.debian.org.
(Mon, 06 Jun 2016 12:24:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>:
Bug#796344; Package ruby2.1.
(Mon, 06 Jun 2016 12:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hofstaedtler <zeha@debian.org>:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>.
(Mon, 06 Jun 2016 12:30:03 GMT) (full text, mbox, link).
Message #47 received at 796344@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
* Petter Reinholdtsen <pere@hungry.com> [160606 14:01]:
> But I would love to figure out a way to verify that the fix really is working
> before I upload. Anyone got a clue to spare there?
I'm attaching two test programs that both raise a SecurityError on
ruby2.2 in sid, but run through on ruby2.1 in jessie. They only
cover two Fiddle cases, and no DL cases, though.
--
,''`. Christian Hofstaedtler <zeha@debian.org>
: :' : Debian Developer
`. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03
`-
[cve-2009-5147-fiddle-01.rb (text/plain, attachment)]
[cve-2009-5147-fiddle-02.rb (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>:
Bug#796344; Package ruby2.1.
(Mon, 06 Jun 2016 12:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>.
(Mon, 06 Jun 2016 12:42:06 GMT) (full text, mbox, link).
Message #52 received at 796344@bugs.debian.org (full text, mbox, reply):
Control: unarchive -1
[Christian Hofstaedtler 2016-01-03]
>> According to <URL: https://security-tracker.debian.org/tracker/CVE-2009-5147 >,
>> this issue is fixed in squeeze but not wheezy and jessie. Are anyone working
>> on a update to stable?
>
> Sorry, even tough this should be easy to do, so far nobody has found
> the time to do it.
Right. I got tired of seeing the output for this bug from debsecan, and
decided to try to get a fix in stable. I got approval from the release
managers in bug #826348.
But I would love to figure out a way to verify that the fix really is working
before I upload. Anyone got a clue to spare there?
--
Happy hacking
Petter Reinholdtsen
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>:
Bug#796344; Package ruby2.1.
(Mon, 06 Jun 2016 13:27:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>.
(Mon, 06 Jun 2016 13:27:09 GMT) (full text, mbox, link).
Message #57 received at 796344@bugs.debian.org (full text, mbox, reply):
[Christian Hofstaedtler]
> I'm attaching two test programs that both raise a SecurityError on
> ruby2.2 in sid, but run through on ruby2.1 in jessie. They only
> cover two Fiddle cases, and no DL cases, though.
Thank you very much!. But the second fail with ruby2.1 today:
% for f in *; do echo $f; ruby $f; done
cve-2009-5147-fiddle-01.rb
"/lib/x86_64-linux-gnu/libm.so.6"
"/lib/x86_64-linux-gnu/libm.so.6"
3.0
cve-2009-5147-fiddle-02.rb
cve-2009-5147-fiddle-02.rb:18:in `call': tainted parameter not allowed (SecurityError)
from cve-2009-5147-fiddle-02.rb:18:in `<main>'
%
How come?
--
Happy hacking
Petter Reinholdtsen
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>:
Bug#796344; Package ruby2.1.
(Mon, 06 Jun 2016 16:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hofstaedtler <zeha@debian.org>:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>.
(Mon, 06 Jun 2016 16:51:03 GMT) (full text, mbox, link).
Message #62 received at 796344@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
* Petter Reinholdtsen <pere@hungry.com> [160606 15:27]:
> Thank you very much!. But the second fail with ruby2.1 today:
> cve-2009-5147-fiddle-02.rb:18:in `call': tainted parameter not allowed (SecurityError)
[..]
> How come?
Ah. Maybe that was my demonstration program of what should have
happened. Unfortunately I can't check what has been submitted to
upstream at that time.
Best,
--
,''`. Christian Hofstaedtler <zeha@debian.org>
: :' : Debian Developer
`. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03
`-
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>:
Bug#796344; Package ruby2.1.
(Tue, 07 Jun 2016 08:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>.
(Tue, 07 Jun 2016 08:57:06 GMT) (full text, mbox, link).
Message #67 received at 796344@bugs.debian.org (full text, mbox, reply):
[Moritz Mühlenhoff]
> Does that also include the regression fix from CVE-2015-7551?
No, it did not. I had a look and pulled
https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
to fix this one. I will include it too in the upload, just need to
check with the release managers first.
Should I commit the planned upload to the ruby2.1 git repository? I
notice there already is a debian/jessie branch there.
--
Happy hacking
Petter Reinholdtsen
Reply sent
to Petter Reinholdtsen <pere@debian.org>:
You have taken responsibility.
(Tue, 07 Jun 2016 22:33:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Tue, 07 Jun 2016 22:33:04 GMT) (full text, mbox, link).
Message #72 received at 796344-close@bugs.debian.org (full text, mbox, reply):
Source: ruby2.1
Source-Version: 2.1.5-2+deb8u3
We believe that the bug you reported is fixed in the latest version of
ruby2.1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 796344@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated ruby2.1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 07 Jun 2016 11:00:04 +0200
Source: ruby2.1
Binary: ruby2.1 libruby2.1 ruby2.1-dev ruby2.1-doc ruby2.1-tcltk
Architecture: source amd64 all
Version: 2.1.5-2+deb8u3
Distribution: jessie
Urgency: low
Maintainer: Antonio Terceiro <terceiro@debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Description:
libruby2.1 - Libraries necessary to run Ruby 2.1
ruby2.1 - Interpreter of object-oriented scripting language Ruby
ruby2.1-dev - Header files for compiling extension modules for the Ruby 2.1
ruby2.1-doc - Documentation for Ruby 2.1
ruby2.1-tcltk - Ruby/Tk for Ruby 2.1
Closes: 796344
Changes:
ruby2.1 (2.1.5-2+deb8u3) jessie; urgency=low
.
* Non-maintainer upload to fix security problem.
* Fix CVE-2009-5147: DL::dlopen should not open a library with
tainted library name in safe mode (Closes: #796344). Based on
patch used in DLA-299-1, which was pulled from upstream.
* Fix CVE-2015-7551: Fiddle handles should not call functions with
tainted function names (Closes: #796344). Patch pulled from
upstream.
Checksums-Sha1:
b5541ca61ca692e63aed98ecc32391eedf91963e 2434 ruby2.1_2.1.5-2+deb8u3.dsc
94d2040790d3c29c0957aee49b02c2ad2f623a03 89948 ruby2.1_2.1.5-2+deb8u3.debian.tar.xz
417ccbb05c31f84502c76b22c14ab9998f3c476b 276318 ruby2.1_2.1.5-2+deb8u3_amd64.deb
02ccf9b5aa70309e4d98f137606fe74b3d2b1d3b 3290296 libruby2.1_2.1.5-2+deb8u3_amd64.deb
c2873c782e8116af50914b99ff3a90e3516c0b15 1100866 ruby2.1-dev_2.1.5-2+deb8u3_amd64.deb
f44f175543e0c1efcaf44cc538bd96bd861ba208 3385822 ruby2.1-doc_2.1.5-2+deb8u3_all.deb
ea100a4ebb7523ae0d78d1855b73a813a34c0844 477932 ruby2.1-tcltk_2.1.5-2+deb8u3_amd64.deb
Checksums-Sha256:
da3d26a08cdf39ffc0fb707a6f7dcd47d754a398ab5c155d04d929d40e259c18 2434 ruby2.1_2.1.5-2+deb8u3.dsc
92e3f5ddc522801d50458bcb6291cd235d27e5c426e3ccc9defe901cb36ef5d0 89948 ruby2.1_2.1.5-2+deb8u3.debian.tar.xz
5d7c90613015fd19fd81912f464ee680b7f549b735757d105e1dac3cc6b03b37 276318 ruby2.1_2.1.5-2+deb8u3_amd64.deb
574bf7c9f4016d3bb4b0b1983991cef187f724dd3b3fa7aa580d1904c320d3d2 3290296 libruby2.1_2.1.5-2+deb8u3_amd64.deb
22e4f86b33ca21bcfd767e884ed04d89c2e50473fb09329857d86528ee3ae79f 1100866 ruby2.1-dev_2.1.5-2+deb8u3_amd64.deb
3112555b44bf3bfebc907b238c5a64b985a62359e7a04aa48450e6ef4a34b006 3385822 ruby2.1-doc_2.1.5-2+deb8u3_all.deb
cc6e711b5423cec72f41a23e5f09cbc25cae9cb6ad9d89fde7d03fdf3d70a3fc 477932 ruby2.1-tcltk_2.1.5-2+deb8u3_amd64.deb
Files:
f4ff81e7436789ed1b2571cf439c21d7 2434 ruby extra ruby2.1_2.1.5-2+deb8u3.dsc
e2898ac980e98b32fbaf59b9c5946eb9 89948 ruby extra ruby2.1_2.1.5-2+deb8u3.debian.tar.xz
9fc1ce34cbe4384c684aa4f8dc617388 276318 ruby extra ruby2.1_2.1.5-2+deb8u3_amd64.deb
fb3fa242a1cdaabca8e7c0043ac28b15 3290296 libs extra libruby2.1_2.1.5-2+deb8u3_amd64.deb
3e7e72ff042925f4c5787466490fd01f 1100866 ruby extra ruby2.1-dev_2.1.5-2+deb8u3_amd64.deb
37d414ee9be8b7d986e0ad48c917bf19 3385822 doc extra ruby2.1-doc_2.1.5-2+deb8u3_all.deb
5622395ae268664f3752d436bdb12c11 477932 ruby extra ruby2.1-tcltk_2.1.5-2+deb8u3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXVrP/AAoJEIEoCqCHuvsOndMP/10nV0s73aBVRTobhrRgKC+w
p5x09mRZpemRun3FdxGSV2iha+wmeMZEB9PSmaeS0LbO4whmAS2x1otcBE94boI9
qhZKdHQ+sssksNgaB/HWfosdqZg7XTWeQ9nCiIvSScYTRs2/LSnY1+X7Dt9aQMC8
5aUIyN6KHvj8yT82M/zE159KCjE0pt6fMe8IF5OqiSa2xOPFyPwW8zfXZ1f1Z8Rx
Dg2439weR4zPBO5eRdT074aoSM9KuEnW6CZTciJh8gzazZfFbqx6fYPYFN+BQ4rd
Shjp2IkQS6ci2GG93lu1lc5+MA/US1d0RM1qNKEsNysISSIkYpSATg+LW/m3rLL9
eKCiV6bAI3UK3vITW7PpNMDBV50UB1YzHLWP3wgi1ExAB9MdNYagrWl6Pqvp70vs
w1r4FjI2vGTOsvLLQ9d0MgLK8OFHepyaU1+fhOcSdg1amRDJJytrxjyccG0NsEvi
IV0sgayrZAiWFglO2E9oFHGv8PXeZW2Wp2P8bDhTB6bBVRW71QMtJU7uK8qGG0s0
CMMFRnZ/VGMqQdJn0SwOF0UlsWSy3AG9t0tbIkSWdQyvhik5KWzCtoS3FibbNqGS
m3Tu9QVDsD36PySt6EOgVbCruJ2BrHgpVdtoZO7Ofvc+Ruu1WvMuoOulu8lt8uN+
FNUEi0etS+2FDezM7k5h
=E3pT
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 06 Jul 2016 07:27:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:16:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon