SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Ruby Vendors:   Matsumoto, Yukihiro
(Red Hat Issues Fix) Ruby Multiple Flaws Let Remote Users Inject Log Data, Deny Service, and Obtain Potentially Sensitive Information from the Heap
SecurityTracker Alert ID:  1040022
SecurityTracker URL:  http://securitytracker.com/id/1040022
CVE Reference:   CVE-2017-0898, CVE-2017-10784, CVE-2017-14064   (Links to External Site)
Date:  Dec 19 2017
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Several vulnerabilities were reported in Ruby. A remote user can modify data on the target system. A remote user can cause denial of service conditions on the target system. A remote user can obtain potentially sensitive information on the target system.

An application can provide a specially crafted format string value to trigger a buffer underrun in the Kernel.sprintf() method to cause the target interpreter to crash or to potentially access data from the heap [CVE-2017-0898].

A remote user can supply a specially crafted user name value to the WEBrick Basic authentication function to cause escape sequences to be injected into the log file. When the target administrator views the log contents via a terminal emulator, the escape sequences may be executed [CVE-2017-10784].

An application can provide a specially crafted string to the OpenSSL::ASN1 decode function to trigger a buffer underrun and cause the target interpreter to crash [CVE-2017-14033].

An application can pass a specially crafted instance of JSON::Ext::Generator::State class to the generate method of the JSON module to potentially obtain heap contents [CVE-2017-14064].

aerodudrizzt, Yusuke Endoh mame@ruby-lang.org, asac, and ahmadsherif reported these vulnerabilities.

Impact:   A remote user can inject data into log files on the target system.

A remote user can cause denial of service conditions.

A remote user can obtain potentially sensitive information on the target system.

Solution:   Red Hat has issued a fix for CVE-2017-0898, CVE-2017-10784, and CVE-2017-14064.

The Red Hat advisory is available at:

https://access.redhat.com/errata/RHSA-2017:3485

Vendor URL:  access.redhat.com/errata/RHSA-2017:3485 (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  6, 6.7, 7, 7.3, 7.4

Message History:   This archive entry is a follow-up to the message listed below.
Sep 15 2017 Ruby Multiple Flaws Let Remote Users Inject Log Data, Deny Service, and Obtain Potentially Sensitive Information from the Heap



 Source Message Contents

Subject:  [RHSA-2017:3485-01] Moderate: rh-ruby24-ruby security, bug fix, and enhancement update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: rh-ruby24-ruby security, bug fix, and enhancement update
Advisory ID:       RHSA-2017:3485-01
Product:           Red Hat Software Collections
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:3485
Issue date:        2017-12-19
CVE Names:         CVE-2017-0898 CVE-2017-0899 CVE-2017-0900 
                   CVE-2017-0901 CVE-2017-0902 CVE-2017-0903 
                   CVE-2017-10784 CVE-2017-14064 
=====================================================================

1. Summary:

An update for rh-ruby24-ruby is now available for Red Hat Software
Collections.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to perform system management tasks.

The following packages have been upgraded to a later upstream version:
rh-ruby24-ruby (2.4.2). (BZ#1506785)

Security Fix(es):

* A buffer underflow was found in ruby's sprintf function. An attacker,
with ability to control its format string parameter, could send a specially
crafted string that would disclose heap memory or crash the interpreter.
(CVE-2017-0898)

* It was found that rubygems did not sanitize gem names during installation
of a given gem. A specially crafted gem could use this flaw to install
files outside of the regular directory. (CVE-2017-0901)

* A vulnerability was found where rubygems did not sanitize DNS responses
when requesting the hostname of the rubygems server for a domain, via a
_rubygems._tcp DNS SRV query. An attacker with the ability to manipulate
DNS responses could direct the gem command towards a different domain.
(CVE-2017-0902)

* A vulnerability was found where the rubygems module was vulnerable to an
unsafe YAML deserialization when inspecting a gem. Applications inspecting
gem files without installing them can be tricked to execute arbitrary code
in the context of the ruby interpreter. (CVE-2017-0903)

* It was found that WEBrick did not sanitize all its log messages. If logs
were printed in a terminal, an attacker could interact with the terminal
via the use of escape sequences. (CVE-2017-10784)

* A vulnerability was found where rubygems did not properly sanitize gems'
specification text. A specially crafted gem could interact with the
terminal via the use of escape sequences. (CVE-2017-0899)

* It was found that rubygems could use an excessive amount of CPU while
parsing a sufficiently long gem summary. A specially crafted gem from a gem
repository could freeze gem commands attempting to parse its summary.
(CVE-2017-0900)

* A buffer overflow vulnerability was found in the JSON extension of ruby.
An attacker with the ability to pass a specially crafted JSON input to the
extension could use this flaw to expose the interpreter's heap memory.
(CVE-2017-14064)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1487552 - CVE-2017-14064 ruby: Arbitrary heap exposure during a JSON.generate call
1487587 - CVE-2017-0901 rubygems: Arbitrary file overwrite due to incorrect validation of specification name
1487588 - CVE-2017-0900 rubygems: No size limit in summary length of gem spec
1487589 - CVE-2017-0902 rubygems: DNS hijacking vulnerability
1487590 - CVE-2017-0899 rubygems: Escape sequence in the "summary" field of gemspec
1492012 - CVE-2017-10784 ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick
1492015 - CVE-2017-0898 ruby: Buffer underrun vulnerability in Kernel.sprintf
1500488 - CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications
1506785 - Rebase to the latest Ruby 2.4 point release [rhscl-3.0.z]

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):

Source:
rh-ruby24-ruby-2.4.2-86.el6.src.rpm

noarch:
rh-ruby24-ruby-doc-2.4.2-86.el6.noarch.rpm
rh-ruby24-ruby-irb-2.4.2-86.el6.noarch.rpm
rh-ruby24-rubygem-minitest-5.10.1-86.el6.noarch.rpm
rh-ruby24-rubygem-power_assert-0.4.1-86.el6.noarch.rpm
rh-ruby24-rubygem-rake-12.0.0-86.el6.noarch.rpm
rh-ruby24-rubygem-rdoc-5.0.0-86.el6.noarch.rpm
rh-ruby24-rubygem-test-unit-3.2.3-86.el6.noarch.rpm
rh-ruby24-rubygem-xmlrpc-0.2.1-86.el6.noarch.rpm
rh-ruby24-rubygems-2.6.14-86.el6.noarch.rpm
rh-ruby24-rubygems-devel-2.6.14-86.el6.noarch.rpm

x86_64:
rh-ruby24-ruby-2.4.2-86.el6.x86_64.rpm
rh-ruby24-ruby-debuginfo-2.4.2-86.el6.x86_64.rpm
rh-ruby24-ruby-devel-2.4.2-86.el6.x86_64.rpm
rh-ruby24-ruby-libs-2.4.2-86.el6.x86_64.rpm
rh-ruby24-rubygem-bigdecimal-1.3.0-86.el6.x86_64.rpm
rh-ruby24-rubygem-did_you_mean-1.1.0-86.el6.x86_64.rpm
rh-ruby24-rubygem-io-console-0.4.6-86.el6.x86_64.rpm
rh-ruby24-rubygem-json-2.0.4-86.el6.x86_64.rpm
rh-ruby24-rubygem-net-telnet-0.1.1-86.el6.x86_64.rpm
rh-ruby24-rubygem-openssl-2.0.5-86.el6.x86_64.rpm
rh-ruby24-rubygem-psych-2.2.2-86.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):

Source:
rh-ruby24-ruby-2.4.2-86.el6.src.rpm

noarch:
rh-ruby24-ruby-doc-2.4.2-86.el6.noarch.rpm
rh-ruby24-ruby-irb-2.4.2-86.el6.noarch.rpm
rh-ruby24-rubygem-minitest-5.10.1-86.el6.noarch.rpm
rh-ruby24-rubygem-power_assert-0.4.1-86.el6.noarch.rpm
rh-ruby24-rubygem-rake-12.0.0-86.el6.noarch.rpm
rh-ruby24-rubygem-rdoc-5.0.0-86.el6.noarch.rpm
rh-ruby24-rubygem-test-unit-3.2.3-86.el6.noarch.rpm
rh-ruby24-rubygem-xmlrpc-0.2.1-86.el6.noarch.rpm
rh-ruby24-rubygems-2.6.14-86.el6.noarch.rpm
rh-ruby24-rubygems-devel-2.6.14-86.el6.noarch.rpm

x86_64:
rh-ruby24-ruby-2.4.2-86.el6.x86_64.rpm
rh-ruby24-ruby-debuginfo-2.4.2-86.el6.x86_64.rpm
rh-ruby24-ruby-devel-2.4.2-86.el6.x86_64.rpm
rh-ruby24-ruby-libs-2.4.2-86.el6.x86_64.rpm
rh-ruby24-rubygem-bigdecimal-1.3.0-86.el6.x86_64.rpm
rh-ruby24-rubygem-did_you_mean-1.1.0-86.el6.x86_64.rpm
rh-ruby24-rubygem-io-console-0.4.6-86.el6.x86_64.rpm
rh-ruby24-rubygem-json-2.0.4-86.el6.x86_64.rpm
rh-ruby24-rubygem-net-telnet-0.1.1-86.el6.x86_64.rpm
rh-ruby24-rubygem-openssl-2.0.5-86.el6.x86_64.rpm
rh-ruby24-rubygem-psych-2.2.2-86.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):

Source:
rh-ruby24-ruby-2.4.2-86.el6.src.rpm

noarch:
rh-ruby24-ruby-doc-2.4.2-86.el6.noarch.rpm
rh-ruby24-ruby-irb-2.4.2-86.el6.noarch.rpm
rh-ruby24-rubygem-minitest-5.10.1-86.el6.noarch.rpm
rh-ruby24-rubygem-power_assert-0.4.1-86.el6.noarch.rpm
rh-ruby24-rubygem-rake-12.0.0-86.el6.noarch.rpm
rh-ruby24-rubygem-rdoc-5.0.0-86.el6.noarch.rpm
rh-ruby24-rubygem-test-unit-3.2.3-86.el6.noarch.rpm
rh-ruby24-rubygem-xmlrpc-0.2.1-86.el6.noarch.rpm
rh-ruby24-rubygems-2.6.14-86.el6.noarch.rpm
rh-ruby24-rubygems-devel-2.6.14-86.el6.noarch.rpm

x86_64:
rh-ruby24-ruby-2.4.2-86.el6.x86_64.rpm
rh-ruby24-ruby-debuginfo-2.4.2-86.el6.x86_64.rpm
rh-ruby24-ruby-devel-2.4.2-86.el6.x86_64.rpm
rh-ruby24-ruby-libs-2.4.2-86.el6.x86_64.rpm
rh-ruby24-rubygem-bigdecimal-1.3.0-86.el6.x86_64.rpm
rh-ruby24-rubygem-did_you_mean-1.1.0-86.el6.x86_64.rpm
rh-ruby24-rubygem-io-console-0.4.6-86.el6.x86_64.rpm
rh-ruby24-rubygem-json-2.0.4-86.el6.x86_64.rpm
rh-ruby24-rubygem-net-telnet-0.1.1-86.el6.x86_64.rpm
rh-ruby24-rubygem-openssl-2.0.5-86.el6.x86_64.rpm
rh-ruby24-rubygem-psych-2.2.2-86.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-ruby24-ruby-2.4.2-86.el7.src.rpm

noarch:
rh-ruby24-ruby-doc-2.4.2-86.el7.noarch.rpm
rh-ruby24-ruby-irb-2.4.2-86.el7.noarch.rpm
rh-ruby24-rubygem-minitest-5.10.1-86.el7.noarch.rpm
rh-ruby24-rubygem-power_assert-0.4.1-86.el7.noarch.rpm
rh-ruby24-rubygem-rake-12.0.0-86.el7.noarch.rpm
rh-ruby24-rubygem-rdoc-5.0.0-86.el7.noarch.rpm
rh-ruby24-rubygem-test-unit-3.2.3-86.el7.noarch.rpm
rh-ruby24-rubygem-xmlrpc-0.2.1-86.el7.noarch.rpm
rh-ruby24-rubygems-2.6.14-86.el7.noarch.rpm
rh-ruby24-rubygems-devel-2.6.14-86.el7.noarch.rpm

x86_64:
rh-ruby24-ruby-2.4.2-86.el7.x86_64.rpm
rh-ruby24-ruby-debuginfo-2.4.2-86.el7.x86_64.rpm
rh-ruby24-ruby-devel-2.4.2-86.el7.x86_64.rpm
rh-ruby24-ruby-libs-2.4.2-86.el7.x86_64.rpm
rh-ruby24-rubygem-bigdecimal-1.3.0-86.el7.x86_64.rpm
rh-ruby24-rubygem-did_you_mean-1.1.0-86.el7.x86_64.rpm
rh-ruby24-rubygem-io-console-0.4.6-86.el7.x86_64.rpm
rh-ruby24-rubygem-json-2.0.4-86.el7.x86_64.rpm
rh-ruby24-rubygem-net-telnet-0.1.1-86.el7.x86_64.rpm
rh-ruby24-rubygem-openssl-2.0.5-86.el7.x86_64.rpm
rh-ruby24-rubygem-psych-2.2.2-86.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3):

Source:
rh-ruby24-ruby-2.4.2-86.el7.src.rpm

noarch:
rh-ruby24-ruby-doc-2.4.2-86.el7.noarch.rpm
rh-ruby24-ruby-irb-2.4.2-86.el7.noarch.rpm
rh-ruby24-rubygem-minitest-5.10.1-86.el7.noarch.rpm
rh-ruby24-rubygem-power_assert-0.4.1-86.el7.noarch.rpm
rh-ruby24-rubygem-rake-12.0.0-86.el7.noarch.rpm
rh-ruby24-rubygem-rdoc-5.0.0-86.el7.noarch.rpm
rh-ruby24-rubygem-test-unit-3.2.3-86.el7.noarch.rpm
rh-ruby24-rubygem-xmlrpc-0.2.1-86.el7.noarch.rpm
rh-ruby24-rubygems-2.6.14-86.el7.noarch.rpm
rh-ruby24-rubygems-devel-2.6.14-86.el7.noarch.rpm

x86_64:
rh-ruby24-ruby-2.4.2-86.el7.x86_64.rpm
rh-ruby24-ruby-debuginfo-2.4.2-86.el7.x86_64.rpm
rh-ruby24-ruby-devel-2.4.2-86.el7.x86_64.rpm
rh-ruby24-ruby-libs-2.4.2-86.el7.x86_64.rpm
rh-ruby24-rubygem-bigdecimal-1.3.0-86.el7.x86_64.rpm
rh-ruby24-rubygem-did_you_mean-1.1.0-86.el7.x86_64.rpm
rh-ruby24-rubygem-io-console-0.4.6-86.el7.x86_64.rpm
rh-ruby24-rubygem-json-2.0.4-86.el7.x86_64.rpm
rh-ruby24-rubygem-net-telnet-0.1.1-86.el7.x86_64.rpm
rh-ruby24-rubygem-openssl-2.0.5-86.el7.x86_64.rpm
rh-ruby24-rubygem-psych-2.2.2-86.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):

Source:
rh-ruby24-ruby-2.4.2-86.el7.src.rpm

noarch:
rh-ruby24-ruby-doc-2.4.2-86.el7.noarch.rpm
rh-ruby24-ruby-irb-2.4.2-86.el7.noarch.rpm
rh-ruby24-rubygem-minitest-5.10.1-86.el7.noarch.rpm
rh-ruby24-rubygem-power_assert-0.4.1-86.el7.noarch.rpm
rh-ruby24-rubygem-rake-12.0.0-86.el7.noarch.rpm
rh-ruby24-rubygem-rdoc-5.0.0-86.el7.noarch.rpm
rh-ruby24-rubygem-test-unit-3.2.3-86.el7.noarch.rpm
rh-ruby24-rubygem-xmlrpc-0.2.1-86.el7.noarch.rpm
rh-ruby24-rubygems-2.6.14-86.el7.noarch.rpm
rh-ruby24-rubygems-devel-2.6.14-86.el7.noarch.rpm

x86_64:
rh-ruby24-ruby-2.4.2-86.el7.x86_64.rpm
rh-ruby24-ruby-debuginfo-2.4.2-86.el7.x86_64.rpm
rh-ruby24-ruby-devel-2.4.2-86.el7.x86_64.rpm
rh-ruby24-ruby-libs-2.4.2-86.el7.x86_64.rpm
rh-ruby24-rubygem-bigdecimal-1.3.0-86.el7.x86_64.rpm
rh-ruby24-rubygem-did_you_mean-1.1.0-86.el7.x86_64.rpm
rh-ruby24-rubygem-io-console-0.4.6-86.el7.x86_64.rpm
rh-ruby24-rubygem-json-2.0.4-86.el7.x86_64.rpm
rh-ruby24-rubygem-net-telnet-0.1.1-86.el7.x86_64.rpm
rh-ruby24-rubygem-openssl-2.0.5-86.el7.x86_64.rpm
rh-ruby24-rubygem-psych-2.2.2-86.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-ruby24-ruby-2.4.2-86.el7.src.rpm

noarch:
rh-ruby24-ruby-doc-2.4.2-86.el7.noarch.rpm
rh-ruby24-ruby-irb-2.4.2-86.el7.noarch.rpm
rh-ruby24-rubygem-minitest-5.10.1-86.el7.noarch.rpm
rh-ruby24-rubygem-power_assert-0.4.1-86.el7.noarch.rpm
rh-ruby24-rubygem-rake-12.0.0-86.el7.noarch.rpm
rh-ruby24-rubygem-rdoc-5.0.0-86.el7.noarch.rpm
rh-ruby24-rubygem-test-unit-3.2.3-86.el7.noarch.rpm
rh-ruby24-rubygem-xmlrpc-0.2.1-86.el7.noarch.rpm
rh-ruby24-rubygems-2.6.14-86.el7.noarch.rpm
rh-ruby24-rubygems-devel-2.6.14-86.el7.noarch.rpm

x86_64:
rh-ruby24-ruby-2.4.2-86.el7.x86_64.rpm
rh-ruby24-ruby-debuginfo-2.4.2-86.el7.x86_64.rpm
rh-ruby24-ruby-devel-2.4.2-86.el7.x86_64.rpm
rh-ruby24-ruby-libs-2.4.2-86.el7.x86_64.rpm
rh-ruby24-rubygem-bigdecimal-1.3.0-86.el7.x86_64.rpm
rh-ruby24-rubygem-did_you_mean-1.1.0-86.el7.x86_64.rpm
rh-ruby24-rubygem-io-console-0.4.6-86.el7.x86_64.rpm
rh-ruby24-rubygem-json-2.0.4-86.el7.x86_64.rpm
rh-ruby24-rubygem-net-telnet-0.1.1-86.el7.x86_64.rpm
rh-ruby24-rubygem-openssl-2.0.5-86.el7.x86_64.rpm
rh-ruby24-rubygem-psych-2.2.2-86.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-0898
https://access.redhat.com/security/cve/CVE-2017-0899
https://access.redhat.com/security/cve/CVE-2017-0900
https://access.redhat.com/security/cve/CVE-2017-0901
https://access.redhat.com/security/cve/CVE-2017-0902
https://access.redhat.com/security/cve/CVE-2017-0903
https://access.redhat.com/security/cve/CVE-2017-10784
https://access.redhat.com/security/cve/CVE-2017-14064
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFaOM+JXlSAg2UNWIIRAqaDAKC9Irw/Rln4CyNuCV/te7XFo4WhowCcCMH9
z34qLfRLYhdz170IYhPJdR0=
=EBZR
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC