Bug 1112530 – VUL-0: CVE-2018-16395: ruby19,ruby,ruby2.1: OpenSSL::X509::Name equality check does not work correctly

Bug 1112530 - (CVE-2018-16395) VUL-0: CVE-2018-16395: ruby19,ruby,ruby2.1: OpenSSL::X509::Name equality check does not work correctly

(CVE-2018-16395)
Summary:	VUL-0: CVE-2018-16395: ruby19,ruby,ruby2.1: OpenSSL::X509::Name equality chec...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Normal
Target Milestone:	---
Assigned To:	Marcus Rückert
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/216978/
Whiteboard:	CVSSv3.1:SUSE:CVE-2018-16395:6.8:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-10-19 09:09 UTC by Robert Frohl
Modified:	2022-12-14 08:59 UTC (History)
CC List:	10 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2018-10-19 09:09:35 UTC

CVE-2018-16395
An instance of OpenSSL::X509::Name contains entities such as CN, C and so on. Some two instances of OpenSSL::X509::Name are equal only when all entities are exactly equal. However, there is a bug that the equality check is not correct if the value of an entity of the argument (right-hand side) starts with the value of the receiver (left-hand side). So, if a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal.

It is strongly recommended for Ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible.

upstream patch:
https://github.com/ruby/openssl/commit/f653cfa43f0f20e8c440122ea982382b6228e7f5


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16395
https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/

Comment 1 Robert Frohl 2018-10-19 11:35:41 UTC

Hi Marcus,
my investigation suggests that all codestreams are affected:
- SUSE:SLE-15:Update/ruby
- SUSE:SLE-12:Update/ruby
- SUSE:SLE-12:Update/ruby2.1
- SUSE:SLE-11-SP2:Update/ruby1.9
- SUSE:SLE-11-SP1:Update/ruby

I had the same issue as with bnc#1112532: Manually searching the patch [0] in upstream git, therefor it would be good to verify that I did not miss any other commits.

[0] https://github.com/ruby/openssl/commit/f653cfa43f0f20e8c440122ea982382b6228e7f5

Comment 6 Swamp Workflow Management 2019-07-10 13:13:56 UTC

SUSE-SU-2019:1804-1: An update that solves 21 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130028,1130611,1130617,1130620,1130622,1130623,1130627,1133790
CVE References: CVE-2017-17742,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ruby2.5-2.5.5-4.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ruby2.5-2.5.5-4.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ruby2.5-2.5.5-4.3.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    ruby2.5-2.5.5-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2019-07-21 10:23:03 UTC

openSUSE-SU-2019:1771-1: An update that solves 21 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130028,1130611,1130617,1130620,1130622,1130623,1130627,1133790
CVE References: CVE-2017-17742,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325
Sources used:
openSUSE Leap 15.1 (src):    ruby-bundled-gems-rpmhelper-0.0.2-lp151.2.1, ruby2.5-2.5.5-lp151.4.3.1
openSUSE Leap 15.0 (src):    ruby-bundled-gems-rpmhelper-0.0.2-lp150.2.1, ruby2.5-2.5.5-lp150.3.3.1

Comment 9 Swamp Workflow Management 2020-06-09 13:22:57 UTC

SUSE-SU-2020:1570-1: An update that fixes 42 vulnerabilities is now available.

Category: security (important)
Bug References: 1043983,1048072,1055265,1056286,1056782,1058754,1058755,1058757,1062452,1069607,1069632,1073002,1078782,1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130611,1130617,1130620,1130622,1130623,1130627,1152990,1152992,1152994,1152995,1171517,1172275
CVE References: CVE-2015-9096,CVE-2016-2339,CVE-2016-7798,CVE-2017-0898,CVE-2017-0899,CVE-2017-0900,CVE-2017-0901,CVE-2017-0902,CVE-2017-0903,CVE-2017-10784,CVE-2017-14033,CVE-2017-14064,CVE-2017-17405,CVE-2017-17742,CVE-2017-17790,CVE-2017-9228,CVE-2017-9229,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325,CVE-2020-10663
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ruby2.1-2.1.9-19.3.2
SUSE OpenStack Cloud 8 (src):    ruby2.1-2.1.9-19.3.2
SUSE OpenStack Cloud 7 (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Linux Enterprise Server 12-SP5 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP4 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Enterprise Storage 5 (src):    ruby2.1-2.1.9-19.3.2
HPE Helion Openstack 8 (src):    ruby2.1-2.1.9-19.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Gabriele Sonnu 2022-02-24 16:30:19 UTC

Hi Marcus,

Could you please submit for SUSE:SLE-11-SP1:Update/ruby?

Comment 11 Gianluca Gabrielli 2022-03-30 13:32:53 UTC

Hi Marcus, please submit the missing patch ASAP.

Comment 12 Robert Frohl 2022-05-03 08:05:54 UTC

still missing for:

- SUSE:SLE-11-SP1:Update/ruby

Comment 15 Marcus Rückert 2022-08-25 12:15:59 UTC

iosc rq show -d 278340

Comment 20 Swamp Workflow Management 2022-09-06 16:22:11 UTC

SUSE-SU-2022:15034-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1112530,1188160,1188161
CVE References: CVE-2018-16395,CVE-2021-31810,CVE-2021-32066,CVE-2021-81810
JIRA References: 
Sources used:
SUSE Webyast 1.3 (src):    ruby-1.8.7.p357-0.9.20.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.