Bug 862907

Summary: CVE-2012-4464 CVE-2012-4466 ruby: various flaws [fedora-all]
Product: [Fedora] Fedora Reporter: Vincent Danen <vdanen>
Component: rubyAssignee: Jeroen van Meeuwen <vanmeeuwen+fedora>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 17CC: bkabrda, jeremy, jlieskov, mmorsi, mtasaka, tagoh, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-14 04:09:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 862598, 862614    

Description Vincent Danen 2012-10-03 20:50:23 UTC 
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs).  Please mention the CVE IDs being fixed
in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=862906

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.

[bug automatically created by: add-tracking-bugs]
Comment 1 Vincent Danen 2012-10-03 20:59:20 UTC 
This affects F17 and later (not F16).
Comment 2 Jan Lieskovsky 2012-10-04 08:56:13 UTC 
Reference CVE-2012-4464 in this one too, since it's the same situation (F-16 not affected, F-17 and later affected). => this bug is from now for both:
1) CVE-2012-4464 and
2) CVE-2012-4466

issues.
Comment 3 Mamoru TASAKA 2012-10-04 13:20:07 UTC 
(In reply to comment #1)
> This affects F17 and later (not F16).

"This" means -4464, and -4466 affects F-18,17,16, right?
Comment 4 Jan Lieskovsky 2012-10-04 13:46:10 UTC 
(In reply to comment #3)
> (In reply to comment #1)
> > This affects F17 and later (not F16).
> 
> "This" means -4464, and -4466 affects F-18,17,16, right?

1) For CVE-2012-4464 this would affect F-18 and F-17:
  https://bugzilla.redhat.com/show_bug.cgi?id=862598#c2
but not Fedora-16 yet (since we ship 1.8.x based ruby version there),

2) For CVE-2012-4466 this would affect F-18 and F-17, but not F-16. Though this is reported to affected both ruby 1.9.x and ruby 1.8.x versions, I have checked yesterday that F-16 ruby doesn't contain OBJ_INFECT() clause in name_err_mesg_to_str() method yet (which upstream patch:

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068

is fixing. Note: That patch covers both issues / is the same for both of them).

So it's enough to schedule F-18 and F-17 updates for these two.
Comment 5 Fedora Update System 2012-10-04 16:27:07 UTC 
ruby-1.9.3.194-18.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ruby-1.9.3.194-18.fc18
Comment 6 Fedora Update System 2012-10-04 16:27:52 UTC 
ruby-1.9.3.194-17.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ruby-1.9.3.194-17.fc17
Comment 7 Vít Ondruch 2012-10-05 07:33:08 UTC 
(In reply to comment #3)
> (In reply to comment #1)
> > This affects F17 and later (not F16).
> 
> "This" means -4464, and -4466 affects F-18,17,16, right?

Hi Mamoru,

I have confirmed from upstream, that the patch you applied to F16 is correct. In other words, 1.8.7 is vulnerable to both CVE-2012-4464 and CVE-2012-4466 as well.
Comment 8 Mamoru TASAKA 2012-10-05 09:10:49 UTC 
(In reply to comment #7)
> (In reply to comment #3)
> > (In reply to comment #1)
> > > This affects F17 and later (not F16).
> > 
> > "This" means -4464, and -4466 affects F-18,17,16, right?
> 
> Hi Mamoru,
> 
> I have confirmed from upstream, that the patch you applied to F16 is
> correct. In other words, 1.8.7 is vulnerable to both CVE-2012-4464 and
> CVE-2012-4466 as well.

Okay, thank you for confirming (and asking upstream).
Comment 9 Fedora Update System 2012-10-05 09:54:10 UTC 
ruby-1.8.7.358-4.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ruby-1.8.7.358-4.fc16
Comment 10 Fedora Update System 2012-10-09 00:29:29 UTC 
ruby-1.9.3.194-18.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-10-14 03:50:42 UTC 
ruby-1.9.3.194-17.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-10-14 03:52:38 UTC 
ruby-1.8.7.358-4.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Mamoru TASAKA 2012-10-14 04:09:58 UTC 
Fixed on all Fedora branches.