Bug 1056286 - (CVE-2017-0899) VUL-0: CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902: rubygems,ruby19,ruby2.1: multiple vulnerabilities fixed in 2.6.13
(CVE-2017-0899)
VUL-0: CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902: rubygems,ruby...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/191228/
CVSSv2:SUSE:CVE-2017-0899:7.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-30 06:01 UTC by Marcus Meissner
Modified: 2022-05-02 10:24 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-08-30 06:01:39 UTC
http://blog.rubygems.org/2017/08/27/2.6.13-released.html

2.6.13 Released

by Samuel Giddins

RubyGems 2.6.13 includes security fixes.

To update to the latest RubyGems you can run:

gem update --system

If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page.

Security fixes:

    Fix a DNS request hijacking vulnerability. Discovered by Jonathan Claudius, fix by Samuel Giddins.
    Fix an ANSI escape sequence vulnerability. Discovered by Yusuke Endoh, fix by Evan Phoenix.
    Fix a DOS vulernerability in the query command. Discovered by Yusuke Endoh, fix by Samuel Giddins.
    Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel Giddins.

As always, please report any security issues discovered in RubyGems to the RubyGems project on HackerOne.
Comment 1 Marcus Meissner 2017-08-30 09:10:38 UTC
  CVE-2017-0899  ANSI escape issue

  CVE-2017-0900  query command

  CVE-2017-0901  overwrite any file

  CVE-2017-0902  DNS issue
Comment 2 Marcus Meissner 2017-09-01 15:02:07 UTC
CVE-2017-0900:

RubyGems version 2.6.12 and earlier is vulnerable to maliciously
crafted gem specifications to cause a denial of service attack against
RubyGems clients who have issued a `query` command.

Upstream patch:

https://github.com/rubygems/rubygems/commit/8a38a4fc24c6591e6c8f43d1fadab6efeb4d6251

Bug report:

https://hackerone.com/reports/243003
Comment 3 Marcus Meissner 2017-09-01 15:03:44 UTC
CVE-2017-0902:

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking
vulnerability that allows a MITM attacker to force the RubyGems client
to download and install gems from a server that the attacker controls.

Upstream patches:

https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32

Bug report:

https://hackerone.com/reports/218088
Comment 4 Marcus Meissner 2017-09-01 15:06:08 UTC
CVE-2017-0901

RubyGems version 2.6.12 and earlier fails to validate specification
names, allowing a maliciously crafted gem to potentially overwrite any
file on the filesystem.

Upstream patch:

https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2

Bug report:

https://hackerone.com/reports/243156
Comment 5 Marcus Meissner 2017-09-01 15:08:07 UTC
CVE-2017-0899

RubyGems version 2.6.12 and earlier is vulnerable to maliciously
crafted gem specifications that include terminal escape characters.
Printing the gem specification would execute terminal escape
sequences.

Upstream patches:

https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1
https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491

Bug report:

https://hackerone.com/reports/226335
Comment 6 Marcus Meissner 2017-09-01 15:24:25 UTC
CVE-2017-0902:ruby2.1 has the _rubygems multicast DNS lookup, older ones do not.

CVE-2017-0899: no filtering of text from ANSI escape sequences in ruby2.1 and older even.

CVE-2017-0901: also likely all affected.

CVE-2017-0900: lots of data denial of service... likely all.
Comment 7 Bernhard Wiedemann 2017-11-09 15:00:48 UTC
This is an autogenerated message for OBS integration:
This bug (1056286) was mentioned in
https://build.opensuse.org/request/show/540224 Factory / ruby2.4
Comment 8 Bernhard Wiedemann 2017-11-20 11:50:11 UTC
This is an autogenerated message for OBS integration:
This bug (1056286) was mentioned in
https://build.opensuse.org/request/show/543851 Factory / ruby2.4
Comment 15 Swamp Workflow Management 2020-06-09 13:20:34 UTC
SUSE-SU-2020:1570-1: An update that fixes 42 vulnerabilities is now available.

Category: security (important)
Bug References: 1043983,1048072,1055265,1056286,1056782,1058754,1058755,1058757,1062452,1069607,1069632,1073002,1078782,1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130611,1130617,1130620,1130622,1130623,1130627,1152990,1152992,1152994,1152995,1171517,1172275
CVE References: CVE-2015-9096,CVE-2016-2339,CVE-2016-7798,CVE-2017-0898,CVE-2017-0899,CVE-2017-0900,CVE-2017-0901,CVE-2017-0902,CVE-2017-0903,CVE-2017-10784,CVE-2017-14033,CVE-2017-14064,CVE-2017-17405,CVE-2017-17742,CVE-2017-17790,CVE-2017-9228,CVE-2017-9229,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325,CVE-2020-10663
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ruby2.1-2.1.9-19.3.2
SUSE OpenStack Cloud 8 (src):    ruby2.1-2.1.9-19.3.2
SUSE OpenStack Cloud 7 (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Linux Enterprise Server 12-SP5 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP4 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Enterprise Storage 5 (src):    ruby2.1-2.1.9-19.3.2
HPE Helion Openstack 8 (src):    ruby2.1-2.1.9-19.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Gabriele Sonnu 2022-05-02 10:24:55 UTC
Done.