StarlingX

CVE-2018-1000076: rubygems: Improper verification of signatures in tarball allows to install mis-signed gem

Bug #1849195 reported by Bruce Jones
274
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Jim Somerville

Bug Description

CVE-2018-1000076
status : fixed
cvss2Score : 7.5
Attack Vector: N
Access Complexity : L
Autentication: N
Availability Impact :P
Affected packages:
['ruby', 'ruby-irb', 'ruby-libs', 'rubygem-bigdecimal', 'rubygem-io-console', 'rubygem-psych', 'rubygem-rdoc', 'rubygems']
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
https://nvd.nist.gov/vuln/detail/CVE-2018-1000076

See original description

CVE References

Bruce Jones (brucej)
description: updated
tags: added: stx.security
Bruce Jones (brucej)
Changed in starlingx:
importance: Undecided → High
tags: added: stx.3.0
Revision history for this message
Ghada Khalil (gkhalil) wrote :

This CVE meets the fix criteria for StarlingX. Therefore, it needs to be fixed in master for stx.3.0 and then cherry-picked to r/stx.2.0.

tags: added: stx.2.0
summary: - Fix CVE-2018-1000076
+ CVE-2018-1000076: rubygems: Unsafe Object Deserialization Vulnerability
+ in gem owner allowing arbitrary code execution on specially crafted YAML
Revision history for this message
Ghada Khalil (gkhalil) wrote :

These two launchpads should be addressed together:
https://bugs.launchpad.net/starlingx/+bug/1849203
https://bugs.launchpad.net/starlingx/+bug/1849195

since they affect the same package and are addressed in the same package version. Please link both launchpads to the same gerrit review

summary: - CVE-2018-1000076: rubygems: Unsafe Object Deserialization Vulnerability
- in gem owner allowing arbitrary code execution on specially crafted YAML
+ CVE-2018-1000076: rubygems: Improper verification of signatures in
+ tarball allows to install mis-signed gem
Ghada Khalil (gkhalil)
Changed in starlingx:
status: New → Triaged
Cindy Xie (xxie1)
Changed in starlingx:
assignee: nobody → Cindy Xie (xxie1)
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: Cindy Xie (xxie1) → Jim Somerville (jsomervi)
Ghada Khalil (gkhalil)
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/695775

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/695775
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=ea25ae6f265f6a9531dd72a8576462a71c3074dc
Submitter: Zuul
Branch: master

commit ea25ae6f265f6a9531dd72a8576462a71c3074dc
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500

    Uprev ruby and associated gems to subminor ver 36

    All affected packages are moved forward to their -36 version.

    This solves:
    ruby: Unintentional directory traversal by poisoned NULL byte
    in Dir (CVE-2018-8780)
    rubygems: Improper verification of signatures in tarball
    allows to install mis-signed gem (CVE-2018-1000076)

    along with numerous other issues.

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006124.html

    for more details.

    Note that rubygem-json is moved back to version 1.7.7-36 as it
    should never have been moved to 2.0.2-2 in the first place. That
    appears to have occurred accidentally, taking the package from
    opstools instead of os when moving to CentOS 7.6.

    Change-Id: I732a0ddba6e2aa5ebda0e10f6e633f60c162890c
    Closes-Bug: 1849195
    Closes-Bug: 1849203
    Signed-off-by: Jim Somerville <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/698553

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (f/centos8)
Download full text (8.7 KiB)

Reviewed: https://review.opendev.org/698553
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=202776a187184e536adce99b3b0f0ce1ce04fdee
Submitter: Zuul
Branch: f/centos8

commit 063e29fe2e12a306be51755e994d8eb10b2d3614
Author: VictorRodriguez <email address hidden>
Date: Wed Nov 27 17:39:51 2019 -0600

    Add feature to check if a CVE has an open launchpad

    This change enables the capability to track if a CVE to be fixed already
    has an open launchpad in starlingx: https://bugs.launchpad.net/starlingx/

    This will help the security team to focus on the CVEs that do not
    have a launchpad already open, reducing the overhead of analysis of CVEs
    already presented to the development team.

    Story:2006971

    Change-Id: I494f0221cb52a4bf7ace20d75e067b17c719d749
    Signed-off-by: VictorRodriguez <email address hidden>

commit 1d33f5ae60201a6d1baba026a6503ea43843b3ab
Author: Robin Lu <email address hidden>
Date: Mon Nov 11 16:47:49 2019 +0800

    Update OVMF rpm, due to CVE bug.

    CVE bug: CVE-2019-0160
    The updated rpm is selected from the below link.
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006035.html

    Tests:
    simplex, duplex, multi-node

    Closes-Bug: 1849205

    Change-Id: Ifdbbd82de912488af201f028a65c679acc204ed9
    Signed-off-by: Robin Lu <email address hidden>

commit d964e258beb0c75b5a23ec7db1b523f263db7c9f
Author: Jim Somerville <email address hidden>
Date: Mon Nov 25 15:51:29 2019 -0500

    Uprev ntp to version 4.2.6p5-29.el7

    This solves:
    ntp: Stack-based buffer overflow in ntpq and ntpdc allows
    denial of service or code execution (CVE-2018-12327)

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006016.html

    for more details.

    Change-Id: Ic92fd6af30bf05c6f40cb6a6c60e0bc3811ff22a
    Partial-Bug: 1849197
    Signed-off-by: Jim Somerville <email address hidden>

commit c75164899fb0d242022338d67144c06be7c5b32f
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 16:08:13 2019 +0800

    Update sudo srpm for CVE bug

    To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
    https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html

    CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

    Closes-Bug: 1852825

    Change-Id: Iaafc053fe6e3b58468b5fa7c47dbc0f61a2d3c44
    Signed-off-by: Robin Lu <email address hidden>

commit ea25ae6f265f6a9531dd72a8576462a71c3074dc
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500

    Uprev ruby and associated gems to subminor ver 36

    All affected packages are moved forward to their -36 version.

    This solves:
    ruby: Unintentional directory traversal by poisoned NULL byte
    in Dir (CVE-2018-8780)
    rubygems: Improper verification of signatures in tarball
    allows to install mis-signed gem (CVE-2018-1000076)

    along with numerous other issues.

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-Augu...

Read more...

tags: added: in-f-centos8
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (r/stx.2.0)

Fix proposed to branch: r/stx.2.0
Review: https://review.opendev.org/699018

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (r/stx.2.0)

Reviewed: https://review.opendev.org/699018
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=f371e28b0ed7eff00a03b33b181ee381e5c1541d
Submitter: Zuul
Branch: r/stx.2.0

commit f371e28b0ed7eff00a03b33b181ee381e5c1541d
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500

    Uprev ruby and associated gems to subminor ver 36

    All affected packages are moved forward to their -36 version.

    This solves:
    ruby: Unintentional directory traversal by poisoned NULL byte
    in Dir (CVE-2018-8780)
    rubygems: Improper verification of signatures in tarball
    allows to install mis-signed gem (CVE-2018-1000076)

    along with numerous other issues.

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006124.html

    for more details.

    Note that rubygem-json is moved back to version 1.7.7-36 as it
    should never have been moved to 2.0.2-2 in the first place. That
    appears to have occurred accidentally, taking the package from
    opstools instead of os when moving to CentOS 7.6.

    Change-Id: I732a0ddba6e2aa5ebda0e10f6e633f60c162890c
    Closes-Bug: 1849195
    Closes-Bug: 1849203
    Signed-off-by: Jim Somerville <email address hidden>
    (cherry picked from commit ea25ae6f265f6a9531dd72a8576462a71c3074dc)

Ghada Khalil (gkhalil)
tags: added: in-r-stx20
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.