ruby2.1: CVE-2016-2337 CVE-2016-2339

Debian Bug report logs - #851161
ruby2.1: CVE-2016-2337 CVE-2016-2339

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2016-2339

Date: Thu, 12 Jan 2017 16:10:44 +0100

Source: ruby2.3
Severity: grave
Tags: security

Hi,
this has been assigned CVE-2016-2339: http://www.talosintelligence.com/reports/TALOS-2016-0034/

Patch is here: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42

Cheers,
        Moritz
 

Message #10 received at 851161@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: 851161@bugs.debian.org

Subject: Re: CVE-2016-2339

Date: Thu, 12 Jan 2017 16:17:29 +0100

On Thu, Jan 12, 2017 at 04:10:44PM +0100, Moritz Muehlenhoff wrote:
> Source: ruby2.3
> Severity: grave
> Tags: security
> 
> Hi,
> this has been assigned CVE-2016-2339: http://www.talosintelligence.com/reports/TALOS-2016-0034/
> 
> Patch is here: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42

Also:
http://www.talosintelligence.com/reports/TALOS-2016-0031/

Cheers,
         Moritz

Message #17 received at 851161@bugs.debian.org (full text, mbox, reply):

From: Christian Hofstaedtler <zeha@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 851161@bugs.debian.org

Cc: carnil@debian.org

Subject: Re: Bug#851161: CVE-2016-2339

Date: Fri, 20 Jan 2017 01:13:41 +0100

Control: reassign -1 ruby2.1
Control: found -1 2.1.5-2+deb8u3

Hi,

* Moritz Muehlenhoff <jmm@debian.org> [170120 00:05]:
> this has been assigned CVE-2016-2339: http://www.talosintelligence.com/reports/TALOS-2016-0034/
> 
> Patch is here: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42

If I'm reading all those right, this is actually fixed since 2.3.0;
this issue is likely open in 2.1.x. Reassigning.

For the TclTk issue, looks like this upstream patch:
https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab
If this is the correct patch, 2.3.0 has this fixed, but 2.1.x needs
a patch.

Would be good if somebody could crosscheck this.

Thanks,
-- 
christian hofstaedtler <zeha@debian.org>

Message #26 received at 851161@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Christian Hofstaedtler <zeha@debian.org>, 851161@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#851161: CVE-2016-2337 CVE-2016-2339

Date: Fri, 20 Jan 2017 07:04:33 +0100

On Fri, Jan 20, 2017 at 01:13:41AM +0100, Christian Hofstaedtler wrote:
> Control: reassign -1 ruby2.1
> Control: found -1 2.1.5-2+deb8u3
> 
> Hi,
> 
> * Moritz Muehlenhoff <jmm@debian.org> [170120 00:05]:
> > this has been assigned CVE-2016-2339: http://www.talosintelligence.com/reports/TALOS-2016-0034/
> > 
> > Patch is here: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42
> 
> If I'm reading all those right, this is actually fixed since 2.3.0;
> this issue is likely open in 2.1.x. Reassigning.

Confirmed for 2.1.x, the POC in a jessie VM:

$ ruby CVE-2016-2339.rb 
Start
args array size : 1
increase size of array
New args array size is : 11
*** Error in `ruby': free(): invalid next size (fast): 0x0000000000ea3590 ***
Aborted

It was confusing that TALOS report mentions that it was tested with 2.3.0 dev,
but this might then be right, the above commit is included ongoing from 2.3.0.

> For the TclTk issue, looks like this upstream patch:
> https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab
> If this is the correct patch, 2.3.0 has this fixed, but 2.1.x needs
> a patch.

Thanks added the commit as well, and the fixed version to the tracker. I
*think*, although a problem in the source, this might not rally need an update
in jessie via a DSA, since the issue is incombination with cancel_eval which is
supported in Tcl/Tk8.6 or later, but we don't have that for jessie. So I would
tend to just mark that one as no-dsa at least. Or do I miss something?

Regards,
Salvatore

Message #33 received at 851161@bugs.debian.org (full text, mbox, reply):

From: Christian Hofstaedtler <zeha@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 851161@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#851161: CVE-2016-2337 CVE-2016-2339

Date: Fri, 20 Jan 2017 10:55:32 +0100

* Salvatore Bonaccorso <carnil@debian.org> [170120 09:48]:
> > For the TclTk issue, looks like this upstream patch:
> > https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab
> > If this is the correct patch, 2.3.0 has this fixed, but 2.1.x needs
> > a patch.
> 
> Thanks added the commit as well, and the fixed version to the tracker. I
> *think*, although a problem in the source, this might not rally need an update
> in jessie via a DSA, since the issue is incombination with cancel_eval which is
> supported in Tcl/Tk8.6 or later, but we don't have that for jessie. So I would
> tend to just mark that one as no-dsa at least. Or do I miss something?

Right; I didn't remember we are building with tcl8.5 in jessie. So
looks like no-dsa for that, yes. It looks like the patch might just
apply as is to ruby2.1, so when doing an update we could try
sticking it in just because.

Best regards,
-ch

-- 
christian hofstaedtler <zeha@debian.org>

Message #38 received at 851161@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Christian Hofstaedtler <zeha@debian.org>

Cc: 851161@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#851161: CVE-2016-2337 CVE-2016-2339

Date: Fri, 20 Jan 2017 11:14:57 +0100

Hi!

On Fri, Jan 20, 2017 at 10:55:32AM +0100, Christian Hofstaedtler wrote:
> * Salvatore Bonaccorso <carnil@debian.org> [170120 09:48]:
> > > For the TclTk issue, looks like this upstream patch:
> > > https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab
> > > If this is the correct patch, 2.3.0 has this fixed, but 2.1.x needs
> > > a patch.
> > 
> > Thanks added the commit as well, and the fixed version to the tracker. I
> > *think*, although a problem in the source, this might not rally need an update
> > in jessie via a DSA, since the issue is incombination with cancel_eval which is
> > supported in Tcl/Tk8.6 or later, but we don't have that for jessie. So I would
> > tend to just mark that one as no-dsa at least. Or do I miss something?
> 
> Right; I didn't remember we are building with tcl8.5 in jessie. So
> looks like no-dsa for that, yes. It looks like the patch might just
> apply as is to ruby2.1, so when doing an update we could try
> sticking it in just because.

So right, agree we can in any update include that as well. Now the
question is if the remaining CVE warrant a DSA on it's own or if it is
sufficient to update via a point release.

AFAICT, as well for CVE-2016-2339, to exploit the flaw one would need
to execute untrusted ruby code, or, passing an untrusted class to the
Fiddle module. So I'm not sure if CVE-2016-2339 would as well be
rather "no-dsa".

@Moritz, strong opinion on that? If noth I would say to mark all of
the ruby2.1 CVEs open (CVE-2016-7798, CVE-2016-2337 and CVE-2016-2339)
as no-dsa and include them (if you can) in the next point release or
for any future ruby2.1 DSA.

Salvatore

Message #43 received at 851161@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Christian Hofstaedtler <zeha@debian.org>, 851161@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#851161: CVE-2016-2337 CVE-2016-2339

Date: Fri, 20 Jan 2017 11:25:22 +0100

On Fri, Jan 20, 2017 at 11:14:57AM +0100, Salvatore Bonaccorso wrote:
> @Moritz, strong opinion on that? If noth I would say to mark all of
> the ruby2.1 CVEs open (CVE-2016-7798, CVE-2016-2337 and CVE-2016-2339)
> as no-dsa and include them (if you can) in the next point release or
> for any future ruby2.1 DSA.

Agreed.

Cheers,
        Moritz

Message #48 received at 851161@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Christian Hofstaedtler <zeha@debian.org>, 851161@bugs.debian.org

Subject: Re: Bug#851161: CVE-2016-2337 CVE-2016-2339

Date: Fri, 20 Jan 2017 15:35:07 +0100

On Fri, Jan 20, 2017 at 11:25:22AM +0100, Moritz Muehlenhoff wrote:
> On Fri, Jan 20, 2017 at 11:14:57AM +0100, Salvatore Bonaccorso wrote:
> > @Moritz, strong opinion on that? If noth I would say to mark all of
> > the ruby2.1 CVEs open (CVE-2016-7798, CVE-2016-2337 and CVE-2016-2339)
> > as no-dsa and include them (if you can) in the next point release or
> > for any future ruby2.1 DSA.
> 
> Agreed.

perfect, thanks. Marked as no-dsa.

Regards,
Salvatore

Message #53 received at 851161-done@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: 851161-done@bugs.debian.org

Subject: Re: CVE-2016-2339

Date: Mon, 3 Sep 2018 12:27:36 +0200

Version: 2.1.5-2+deb8u5

All mentioned CVEs are fixed via DLA-1480-1.

Send a report that this bug log contains spam.