Bug 862907 - CVE-2012-4464 CVE-2012-4466 ruby: various flaws [fedora-all]
Summary: CVE-2012-4464 CVE-2012-4466 ruby: various flaws [fedora-all]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ruby
Version: 17
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Jeroen van Meeuwen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: CVE-2012-4464 CVE-2012-4466
TreeView+ depends on / blocked
 
Reported: 2012-10-03 20:50 UTC by Vincent Danen
Modified: 2012-10-14 04:09 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-10-14 04:09:58 UTC


Attachments (Terms of Use)

Description Vincent Danen 2012-10-03 20:50:23 UTC
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs).  Please mention the CVE IDs being fixed
in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=862906

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.

[bug automatically created by: add-tracking-bugs]

Comment 1 Vincent Danen 2012-10-03 20:59:20 UTC
This affects F17 and later (not F16).

Comment 2 Jan Lieskovsky 2012-10-04 08:56:13 UTC
Reference CVE-2012-4464 in this one too, since it's the same situation (F-16 not affected, F-17 and later affected). => this bug is from now for both:
1) CVE-2012-4464 and
2) CVE-2012-4466

issues.

Comment 3 Mamoru TASAKA 2012-10-04 13:20:07 UTC
(In reply to comment #1)
> This affects F17 and later (not F16).

"This" means -4464, and -4466 affects F-18,17,16, right?

Comment 4 Jan Lieskovsky 2012-10-04 13:46:10 UTC
(In reply to comment #3)
> (In reply to comment #1)
> > This affects F17 and later (not F16).
> 
> "This" means -4464, and -4466 affects F-18,17,16, right?

1) For CVE-2012-4464 this would affect F-18 and F-17:
  https://bugzilla.redhat.com/show_bug.cgi?id=862598#c2
but not Fedora-16 yet (since we ship 1.8.x based ruby version there),

2) For CVE-2012-4466 this would affect F-18 and F-17, but not F-16. Though this is reported to affected both ruby 1.9.x and ruby 1.8.x versions, I have checked yesterday that F-16 ruby doesn't contain OBJ_INFECT() clause in name_err_mesg_to_str() method yet (which upstream patch:

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068

is fixing. Note: That patch covers both issues / is the same for both of them).

So it's enough to schedule F-18 and F-17 updates for these two.

Comment 5 Fedora Update System 2012-10-04 16:27:07 UTC
ruby-1.9.3.194-18.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ruby-1.9.3.194-18.fc18

Comment 6 Fedora Update System 2012-10-04 16:27:52 UTC
ruby-1.9.3.194-17.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ruby-1.9.3.194-17.fc17

Comment 7 Vít Ondruch 2012-10-05 07:33:08 UTC
(In reply to comment #3)
> (In reply to comment #1)
> > This affects F17 and later (not F16).
> 
> "This" means -4464, and -4466 affects F-18,17,16, right?

Hi Mamoru,

I have confirmed from upstream, that the patch you applied to F16 is correct. In other words, 1.8.7 is vulnerable to both CVE-2012-4464 and CVE-2012-4466 as well.

Comment 8 Mamoru TASAKA 2012-10-05 09:10:49 UTC
(In reply to comment #7)
> (In reply to comment #3)
> > (In reply to comment #1)
> > > This affects F17 and later (not F16).
> > 
> > "This" means -4464, and -4466 affects F-18,17,16, right?
> 
> Hi Mamoru,
> 
> I have confirmed from upstream, that the patch you applied to F16 is
> correct. In other words, 1.8.7 is vulnerable to both CVE-2012-4464 and
> CVE-2012-4466 as well.

Okay, thank you for confirming (and asking upstream).

Comment 9 Fedora Update System 2012-10-05 09:54:10 UTC
ruby-1.8.7.358-4.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ruby-1.8.7.358-4.fc16

Comment 10 Fedora Update System 2012-10-09 00:29:29 UTC
ruby-1.9.3.194-18.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2012-10-14 03:50:42 UTC
ruby-1.9.3.194-17.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2012-10-14 03:52:38 UTC
ruby-1.8.7.358-4.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Mamoru TASAKA 2012-10-14 04:09:58 UTC
Fixed on all Fedora branches.


Note You need to log in before you can comment on or make changes to this bug.