Bug 2133689 (CVE-2016-2338)

Summary: CVE-2016-2338 ruby: heap buffer overflow in the Psych::Emitter start_document function
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caswilli, hhorak, jaruga, jburrell, jorton, jprokop, kaycoth, mo, mtasaka, pvalena, ruby-maint, ruby-packagers-sig, s, strzibny, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An exploitable heap overflow vulnerability was found in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on the tags array length. A specially constructed object passed as elements of tags array can increase this array size after mentioned allocation, causing a heap overflow.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2133737, 2133738, 2133739, 2133740    
Bug Blocks: 2130851    

Description Sandipan Roy 2022-10-11 07:54:29 UTC 
An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow.

https://lists.debian.org/debian-lts-announce/2020/03/msg00032.html
http://www.talosintelligence.com/reports/TALOS-2016-0032/
Comment 1 Sandipan Roy 2022-10-11 09:06:42 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2133737]
Affects: fedora-36 [bug 2133740]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2133738]


Created ruby:3.0/ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2133739]
Comment 3 Sandipan Roy 2022-10-13 06:59:34 UTC 
Upstream Patch: https://github.com/ruby/ruby/commit/cc0313436160b735a3d41361cb5e3eeb10fcbdad
Comment 4 Jun Aruga 2022-12-08 10:37:32 UTC 
https://www.cvedetails.com/cve/CVE-2016-2338
(In reply to Sandipan Roy from comment #3)
> Upstream Patch:
> https://github.com/ruby/ruby/commit/cc0313436160b735a3d41361cb5e3eeb10fcbdad
> 
> v3_2_0_rc1 v3_2_0_preview3 v3_2_0_preview2 v3_2_0_preview1 v3_1_3 v3_1_2 v3_1_1 v3_1_0 v3_1_0_preview1 v3_0_5 v3_0_4 v3_0_3 v3_0_2 v3_0_1 v3_0_0 v3_0_0_rc2 v3_0_0_rc1 v3_0_0_preview2 v3_0_0_preview1 v2_7_7 v2_7_6 v2_7_5 v2_7_4 v2_7_3 v2_7_2 v2_7_1 v2_7_0 v2_7_0_rc2 v2_7_0_rc1 v2_7_0_preview3 v2_7_0_preview2 v2_7_0_preview1 v2_6_10 v2_6_9 v2_6_8 v2_6_7 v2_6_6 v2_6_5 v2_6_4 v2_6_3 v2_6_2 v2_6_1 v2_6_0 v2_6_0_rc2 v2_6_0_rc1 v2_6_0_preview3 v2_6_0_preview2 v2_6_0_preview1 v2_5_9 v2_5_8 v2_5_7 v2_5_6 v2_5_5 v2_5_4 v2_5_3 v2_5_2 v2_5_1 v2_5_0 v2_5_0_rc1 v2_5_0_preview1 v2_4_10 v2_4_9 v2_4_8 v2_4_7 v2_4_6 v2_4_5 v2_4_4 v2_4_3 v2_4_2 v2_4_1 v2_4_0 v2_4_0_rc1 v2_4_0_preview3 v2_4_0_preview2 v2_4_0_preview1 v2_3_8 v2_3_7 v2_3_6 v2_3_5 v2_3_4 v2_3_3 v2_3_2 v2_3_1 v2_3_0 

Seeing the commit, this CVE is basically fixed in Ruby >= 2.3.0.