Bug 1492015 (CVE-2017-0898)

Summary: CVE-2017-0898 ruby: Buffer underrun vulnerability in Kernel.sprintf
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkearney, cbillett, ccoleman, cpelland, dajohnso, dclarizi, dedgar, dmcphers, gblomqui, gmccullo, gtanzill, hhorak, hhudgeon, jfrey, jgoulding, jhardy, jorton, jprause, kseifried, mmorsi, mtasaka, obarenbo, roliveri, ruby-maint, simaishi, s, strzibny, tomckay, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20170914,reported=20170914,source=internet,cvss3=6.5/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H,cwe=CWE-122,rhel-5/ruby=notaffected,rhel-6/ruby=notaffected,rhel-7/ruby=affected,cfme-5/rh-ruby22-ruby=notaffected,cfme-5/ruby-200-ruby=notaffected,rhscl-3/rh-ruby23-ruby=affected,rhscl-3/rh-ruby22-ruby=affected,rhscl-3/rh-ruby24-ruby=affected,sam-1/ruby193-ruby=wontfix,openshift-1/ruby193-ruby=affected,fedora-all/ruby=affected
Fixed In Version: ruby 2.2.8, ruby 2.3.5, ruby 2.4.2 Doc Type: If docs needed, set a value
Doc Text:
A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-20 10:08:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1492016, 1492017, 1509448, 1509449, 1509450, 1509451, 1534437, 1534438, 1534937, 1534941    
Bug Blocks: 1492024    

Description Adam Mariš 2017-09-15 09:34:46 UTC
There is a buffer underrun vulnerability in the sprintf method of Kernel module. If a malicious format string which contains a precious specifier (*) is passed and a huge minus value is also passed to the specifier, buffer underrun may be caused. In such situation, the result may contains heap, or the Ruby interpreter may crash.

External References:

https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/

Comment 1 Adam Mariš 2017-09-15 09:37:37 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1492016]


Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1492017]

Comment 2 Fedora Update System 2017-10-02 14:24:40 UTC
ruby-2.4.2-84.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 errata-xmlrpc 2017-12-19 08:38:47 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3485 https://access.redhat.com/errata/RHSA-2017:3485

Comment 7 Cedric Buissart 🐶 2017-12-20 10:08:52 UTC
Statement:

This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 7 and the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 10 errata-xmlrpc 2018-02-28 20:02:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0378

Comment 12 errata-xmlrpc 2018-03-26 09:46:01 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0583

Comment 13 errata-xmlrpc 2018-03-26 10:24:07 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0585 https://access.redhat.com/errata/RHSA-2018:0585