ESB-2018.0591 - [RedHat] ruby: Multiple vulnerabilities 2018-03-01

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0591
                      Important: ruby security update
                               1 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ruby
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Create Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-17790 CVE-2017-17405 CVE-2017-14064
                   CVE-2017-14033 CVE-2017-10784 CVE-2017-0903
                   CVE-2017-0902 CVE-2017-0901 CVE-2017-0900
                   CVE-2017-0899 CVE-2017-0898 

Reference:         ASB-2017.0137
                   ESB-2018.0314
                   ESB-2017.3238
                   ESB-2017.2869
                   ESB-2017.2520
                   ESB-2017.2347
                   ESB-2017.2224

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:0378

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: ruby security update
Advisory ID:       RHSA-2018:0378-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:0378
Issue date:        2018-02-28
CVE Names:         CVE-2017-0898 CVE-2017-0899 CVE-2017-0900 
                   CVE-2017-0901 CVE-2017-0902 CVE-2017-0903 
                   CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 
                   CVE-2017-17405 CVE-2017-17790 
=====================================================================

1. Summary:

An update for ruby is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, noarch, ppc64le
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, noarch, ppc64le

3. Description:

Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to perform system management tasks.

Security Fix(es):

* It was discovered that the Net::FTP module did not properly process
filenames in combination with certain operations. A remote attacker could
exploit this flaw to execute arbitrary commands by setting up a malicious
FTP server and tricking a user or Ruby application into downloading files
with specially crafted names using the Net::FTP module. (CVE-2017-17405)

* A buffer underflow was found in ruby's sprintf function. An attacker,
with ability to control its format string parameter, could send a specially
crafted string that would disclose heap memory or crash the interpreter.
(CVE-2017-0898)

* It was found that rubygems did not sanitize gem names during installation
of a given gem. A specially crafted gem could use this flaw to install
files outside of the regular directory. (CVE-2017-0901)

* A vulnerability was found where rubygems did not sanitize DNS responses
when requesting the hostname of the rubygems server for a domain, via a
_rubygems._tcp DNS SRV query. An attacker with the ability to manipulate
DNS responses could direct the gem command towards a different domain.
(CVE-2017-0902)

* A vulnerability was found where the rubygems module was vulnerable to an
unsafe YAML deserialization when inspecting a gem. Applications inspecting
gem files without installing them can be tricked to execute arbitrary code
in the context of the ruby interpreter. (CVE-2017-0903)

* It was found that WEBrick did not sanitize all its log messages. If logs
were printed in a terminal, an attacker could interact with the terminal
via the use of escape sequences. (CVE-2017-10784)

* It was found that the decode method of the OpenSSL::ASN1 module was
vulnerable to buffer underrun. An attacker could pass a specially crafted
string to the application in order to crash the ruby interpreter, causing a
denial of service. (CVE-2017-14033)

* A vulnerability was found where rubygems did not properly sanitize gems'
specification text. A specially crafted gem could interact with the
terminal via the use of escape sequences. (CVE-2017-0899)

* It was found that rubygems could use an excessive amount of CPU while
parsing a sufficiently long gem summary. A specially crafted gem from a gem
repository could freeze gem commands attempting to parse its summary.
(CVE-2017-0900)

* A buffer overflow vulnerability was found in the JSON extension of ruby.
An attacker with the ability to pass a specially crafted JSON input to the
extension could use this flaw to expose the interpreter's heap memory.
(CVE-2017-14064)

* The "lazy_initialize" function in lib/resolv.rb did not properly process
certain filenames. A remote attacker could possibly exploit this flaw to
inject and execute arbitrary commands. (CVE-2017-17790)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1487552 - CVE-2017-14064 ruby: Arbitrary heap exposure during a JSON.generate call
1487587 - CVE-2017-0901 rubygems: Arbitrary file overwrite due to incorrect validation of specification name
1487588 - CVE-2017-0900 rubygems: No size limit in summary length of gem spec
1487589 - CVE-2017-0902 rubygems: DNS hijacking vulnerability
1487590 - CVE-2017-0899 rubygems: Escape sequence in the "summary" field of gemspec
1491866 - CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode
1492012 - CVE-2017-10784 ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick
1492015 - CVE-2017-0898 ruby: Buffer underrun vulnerability in Kernel.sprintf
1500488 - CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications
1526189 - CVE-2017-17405 ruby: Command injection vulnerability in Net::FTP
1528218 - CVE-2017-17790 ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
ruby-2.0.0.648-33.el7_4.src.rpm

noarch:
ruby-irb-2.0.0.648-33.el7_4.noarch.rpm
rubygem-rdoc-4.0.0-33.el7_4.noarch.rpm
rubygems-2.0.14.1-33.el7_4.noarch.rpm

x86_64:
ruby-2.0.0.648-33.el7_4.x86_64.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.i686.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.x86_64.rpm
ruby-libs-2.0.0.648-33.el7_4.i686.rpm
ruby-libs-2.0.0.648-33.el7_4.x86_64.rpm
rubygem-bigdecimal-1.2.0-33.el7_4.x86_64.rpm
rubygem-io-console-0.4.2-33.el7_4.x86_64.rpm
rubygem-json-1.7.7-33.el7_4.x86_64.rpm
rubygem-psych-2.0.0-33.el7_4.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
ruby-doc-2.0.0.648-33.el7_4.noarch.rpm
rubygem-minitest-4.3.2-33.el7_4.noarch.rpm
rubygem-rake-0.9.6-33.el7_4.noarch.rpm
rubygems-devel-2.0.14.1-33.el7_4.noarch.rpm

x86_64:
ruby-debuginfo-2.0.0.648-33.el7_4.x86_64.rpm
ruby-devel-2.0.0.648-33.el7_4.x86_64.rpm
ruby-tcltk-2.0.0.648-33.el7_4.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
ruby-2.0.0.648-33.el7_4.src.rpm

noarch:
ruby-irb-2.0.0.648-33.el7_4.noarch.rpm
rubygem-rdoc-4.0.0-33.el7_4.noarch.rpm
rubygems-2.0.14.1-33.el7_4.noarch.rpm

x86_64:
ruby-2.0.0.648-33.el7_4.x86_64.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.i686.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.x86_64.rpm
ruby-libs-2.0.0.648-33.el7_4.i686.rpm
ruby-libs-2.0.0.648-33.el7_4.x86_64.rpm
rubygem-bigdecimal-1.2.0-33.el7_4.x86_64.rpm
rubygem-io-console-0.4.2-33.el7_4.x86_64.rpm
rubygem-json-1.7.7-33.el7_4.x86_64.rpm
rubygem-psych-2.0.0-33.el7_4.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
ruby-doc-2.0.0.648-33.el7_4.noarch.rpm
rubygem-minitest-4.3.2-33.el7_4.noarch.rpm
rubygem-rake-0.9.6-33.el7_4.noarch.rpm
rubygems-devel-2.0.14.1-33.el7_4.noarch.rpm

x86_64:
ruby-debuginfo-2.0.0.648-33.el7_4.x86_64.rpm
ruby-devel-2.0.0.648-33.el7_4.x86_64.rpm
ruby-tcltk-2.0.0.648-33.el7_4.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
ruby-2.0.0.648-33.el7_4.src.rpm

noarch:
ruby-irb-2.0.0.648-33.el7_4.noarch.rpm
rubygem-rdoc-4.0.0-33.el7_4.noarch.rpm
rubygems-2.0.14.1-33.el7_4.noarch.rpm

ppc64:
ruby-2.0.0.648-33.el7_4.ppc64.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.ppc.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.ppc64.rpm
ruby-libs-2.0.0.648-33.el7_4.ppc.rpm
ruby-libs-2.0.0.648-33.el7_4.ppc64.rpm
rubygem-bigdecimal-1.2.0-33.el7_4.ppc64.rpm
rubygem-io-console-0.4.2-33.el7_4.ppc64.rpm
rubygem-json-1.7.7-33.el7_4.ppc64.rpm
rubygem-psych-2.0.0-33.el7_4.ppc64.rpm

ppc64le:
ruby-2.0.0.648-33.el7_4.ppc64le.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.ppc64le.rpm
ruby-libs-2.0.0.648-33.el7_4.ppc64le.rpm
rubygem-bigdecimal-1.2.0-33.el7_4.ppc64le.rpm
rubygem-io-console-0.4.2-33.el7_4.ppc64le.rpm
rubygem-json-1.7.7-33.el7_4.ppc64le.rpm
rubygem-psych-2.0.0-33.el7_4.ppc64le.rpm

s390x:
ruby-2.0.0.648-33.el7_4.s390x.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.s390.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.s390x.rpm
ruby-libs-2.0.0.648-33.el7_4.s390.rpm
ruby-libs-2.0.0.648-33.el7_4.s390x.rpm
rubygem-bigdecimal-1.2.0-33.el7_4.s390x.rpm
rubygem-io-console-0.4.2-33.el7_4.s390x.rpm
rubygem-json-1.7.7-33.el7_4.s390x.rpm
rubygem-psych-2.0.0-33.el7_4.s390x.rpm

x86_64:
ruby-2.0.0.648-33.el7_4.x86_64.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.i686.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.x86_64.rpm
ruby-libs-2.0.0.648-33.el7_4.i686.rpm
ruby-libs-2.0.0.648-33.el7_4.x86_64.rpm
rubygem-bigdecimal-1.2.0-33.el7_4.x86_64.rpm
rubygem-io-console-0.4.2-33.el7_4.x86_64.rpm
rubygem-json-1.7.7-33.el7_4.x86_64.rpm
rubygem-psych-2.0.0-33.el7_4.x86_64.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):

Source:
ruby-2.0.0.648-33.el7_4.src.rpm

aarch64:
ruby-2.0.0.648-33.el7_4.aarch64.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.aarch64.rpm
ruby-libs-2.0.0.648-33.el7_4.aarch64.rpm
rubygem-bigdecimal-1.2.0-33.el7_4.aarch64.rpm
rubygem-io-console-0.4.2-33.el7_4.aarch64.rpm
rubygem-json-1.7.7-33.el7_4.aarch64.rpm
rubygem-psych-2.0.0-33.el7_4.aarch64.rpm

noarch:
ruby-irb-2.0.0.648-33.el7_4.noarch.rpm
rubygem-rdoc-4.0.0-33.el7_4.noarch.rpm
rubygems-2.0.14.1-33.el7_4.noarch.rpm

ppc64le:
ruby-2.0.0.648-33.el7_4.ppc64le.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.ppc64le.rpm
ruby-libs-2.0.0.648-33.el7_4.ppc64le.rpm
rubygem-bigdecimal-1.2.0-33.el7_4.ppc64le.rpm
rubygem-io-console-0.4.2-33.el7_4.ppc64le.rpm
rubygem-json-1.7.7-33.el7_4.ppc64le.rpm
rubygem-psych-2.0.0-33.el7_4.ppc64le.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
ruby-doc-2.0.0.648-33.el7_4.noarch.rpm
rubygem-minitest-4.3.2-33.el7_4.noarch.rpm
rubygem-rake-0.9.6-33.el7_4.noarch.rpm
rubygems-devel-2.0.14.1-33.el7_4.noarch.rpm

ppc64:
ruby-debuginfo-2.0.0.648-33.el7_4.ppc64.rpm
ruby-devel-2.0.0.648-33.el7_4.ppc64.rpm
ruby-tcltk-2.0.0.648-33.el7_4.ppc64.rpm

ppc64le:
ruby-debuginfo-2.0.0.648-33.el7_4.ppc64le.rpm
ruby-devel-2.0.0.648-33.el7_4.ppc64le.rpm
ruby-tcltk-2.0.0.648-33.el7_4.ppc64le.rpm

s390x:
ruby-debuginfo-2.0.0.648-33.el7_4.s390x.rpm
ruby-devel-2.0.0.648-33.el7_4.s390x.rpm
ruby-tcltk-2.0.0.648-33.el7_4.s390x.rpm

x86_64:
ruby-debuginfo-2.0.0.648-33.el7_4.x86_64.rpm
ruby-devel-2.0.0.648-33.el7_4.x86_64.rpm
ruby-tcltk-2.0.0.648-33.el7_4.x86_64.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7):

aarch64:
ruby-debuginfo-2.0.0.648-33.el7_4.aarch64.rpm
ruby-devel-2.0.0.648-33.el7_4.aarch64.rpm
ruby-tcltk-2.0.0.648-33.el7_4.aarch64.rpm

noarch:
ruby-doc-2.0.0.648-33.el7_4.noarch.rpm
rubygem-minitest-4.3.2-33.el7_4.noarch.rpm
rubygem-rake-0.9.6-33.el7_4.noarch.rpm
rubygems-devel-2.0.14.1-33.el7_4.noarch.rpm

ppc64le:
ruby-debuginfo-2.0.0.648-33.el7_4.ppc64le.rpm
ruby-devel-2.0.0.648-33.el7_4.ppc64le.rpm
ruby-tcltk-2.0.0.648-33.el7_4.ppc64le.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
ruby-2.0.0.648-33.el7_4.src.rpm

noarch:
ruby-irb-2.0.0.648-33.el7_4.noarch.rpm
rubygem-rdoc-4.0.0-33.el7_4.noarch.rpm
rubygems-2.0.14.1-33.el7_4.noarch.rpm

x86_64:
ruby-2.0.0.648-33.el7_4.x86_64.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.i686.rpm
ruby-debuginfo-2.0.0.648-33.el7_4.x86_64.rpm
ruby-libs-2.0.0.648-33.el7_4.i686.rpm
ruby-libs-2.0.0.648-33.el7_4.x86_64.rpm
rubygem-bigdecimal-1.2.0-33.el7_4.x86_64.rpm
rubygem-io-console-0.4.2-33.el7_4.x86_64.rpm
rubygem-json-1.7.7-33.el7_4.x86_64.rpm
rubygem-psych-2.0.0-33.el7_4.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
ruby-doc-2.0.0.648-33.el7_4.noarch.rpm
rubygem-minitest-4.3.2-33.el7_4.noarch.rpm
rubygem-rake-0.9.6-33.el7_4.noarch.rpm
rubygems-devel-2.0.14.1-33.el7_4.noarch.rpm

x86_64:
ruby-debuginfo-2.0.0.648-33.el7_4.x86_64.rpm
ruby-devel-2.0.0.648-33.el7_4.x86_64.rpm
ruby-tcltk-2.0.0.648-33.el7_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-0898
https://access.redhat.com/security/cve/CVE-2017-0899
https://access.redhat.com/security/cve/CVE-2017-0900
https://access.redhat.com/security/cve/CVE-2017-0901
https://access.redhat.com/security/cve/CVE-2017-0902
https://access.redhat.com/security/cve/CVE-2017-0903
https://access.redhat.com/security/cve/CVE-2017-10784
https://access.redhat.com/security/cve/CVE-2017-14033
https://access.redhat.com/security/cve/CVE-2017-14064
https://access.redhat.com/security/cve/CVE-2017-17405
https://access.redhat.com/security/cve/CVE-2017-17790
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFalwrFXlSAg2UNWIIRAnihAJ9L2in1RFZ2Ti1nb3cMbjqCk0oOyQCfWW7C
fI9l/f2YXBMzTC+CE3TLRKg=
=ZNrt
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWpeCAIx+lLeg9Ub1AQgZ9g//Qa0FqIHOHifiAD4I1ydNDYRHt5Zusi6V
cc7ejafVu93CEJHeog+aL++GzMCNdvAfH//dWTWd7MyRXovurxvIdJ1tSyVk5qgN
vWyeyvTyP+SpZ4yySxIB0IVXKvplVzZbc6uSqjApPZy8R/2/Vy1S1nYbnBNG34Ya
FkwZ5s2YZe81Gq07pbvc88CC1orjXlaGpR2gL5oerlXalo6E6uLsiZS+MLGdFHJB
toLYQ9KGWoH0Wn1K7sGzxdD9Adv3EoI3GojjQI3L6+GHAFNWaMbt5mLoDs/Xt36P
9PisaUcyOcJtSxS9hQwTK9whtkh9iG9yNgogSZyuszqhD7ech2+f0STdjmJLjc3h
uYmplqxH1+UJMV6sSOsrhpBHgeUUCm360fJ6Rm+1o3nMDsD0+WH33ZRUtKHRJloH
SQ2ZxnKHjks78hUcEVK+MkZEixJkSgEfXtrPisE6hA65FoBvCWsLigtKgiVFkl5X
qFWzFbl1E1nubJFpX/nfylU0E2d/w28n5mBS+SlQyIoe6Qx5QfUlTBFCqRJiNDHx
SFDcsiYLfnXi3EysdPvJbzSAro3ay4MMOssiTpAZAazfq+Mx0VN96d/PiPkTK+Xm
sXUYr6QmrjTPRRbcPox7C2wzCw67Svbht3dkB6QLIyxeIaJAzjM4vnTSKXIeU8QP
QHKVC1SSsLQ=
=D+sK
-----END PGP SIGNATURE-----

« Back to bulletins