Bug 1491866 (CVE-2017-14033)

Summary: CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkearney, cbillett, cbuissar, ccoleman, cpelland, dajohnso, dclarizi, dedgar, dmcphers, gblomqui, gmccullo, gtanzill, hhorak, hhudgeon, jfrey, jgoulding, jhardy, jorton, jprause, kseifried, mmorsi, mtasaka, obarenbo, roliveri, ruby-maint, simaishi, s, strzibny, tomckay, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ruby 2.2.8, ruby 2.3.5, ruby 2.4.0 Doc Type: If docs needed, set a value
Doc Text:
It was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-19 12:15:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1492016, 1492017, 1509448, 1509449, 1534437, 1534438, 1534937, 1534941    
Bug Blocks: 1492024    

Description Pedro Sampaio 2017-09-14 21:29:20 UTC 
There is a buffer underrun vulnerability in OpenSSL bundled by Ruby. If a malicious string is passed to the decode method of OpenSSL::ASN1, buffer underrun may be caused and the Ruby interpreter may crash.

References:

https://bugzilla.novell.com/show_bug.cgi?id=1058757
https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/
Comment 1 Adam Mariš 2017-09-15 09:37:17 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1492016]


Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1492017]
Comment 2 Fedora Update System 2017-10-02 14:25:07 UTC 
ruby-2.4.2-84.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Cedric Buissart 2017-12-04 14:39:38 UTC 
It appears that CVE-2017-14033 corresponds to a vulnerability reported via https://hackerone.com/reports/170316  (currently private).

The corresponding upstream fix in ruby-openssl:
is https://github.com/ruby/openssl/commit/1648afef33c1d97fb203c82291b8a61269e85d3b

ruby-openssl v2.0.0, which contains the fix, was pulled in ruby-2.4.0, via the following commit:
https://github.com/ruby/ruby/commit/aab0d67a1ff5190ff7a951e40cee742210302aed

Thus it seems that, unlike stated upstream, ruby-2.4.0 isn't vulnerable to CVE-2017-14033
Comment 7 Cedric Buissart 2017-12-19 11:14:54 UTC 
External References:

https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/
Comment 8 Cedric Buissart 2017-12-19 12:15:20 UTC 
Statement:

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6, and the versions of rh-ruby24-ruby.

This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 7 and the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 11 errata-xmlrpc 2018-02-28 20:02:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0378
Comment 13 errata-xmlrpc 2018-03-26 09:45:15 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0583
Comment 14 errata-xmlrpc 2018-03-26 10:23:21 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0585 https://access.redhat.com/errata/RHSA-2018:0585