Re: Ruby / OpenSSL security issue

[Ben Woodcroft]

On 01/10/16 03:32, Leo Famulari wrote:
> On Wed, Sep 21, 2016 at 11:19:45AM +1000, Ben Woodcroft wrote:
> > On 21/09/16 05:05, Leo Famulari wrote:
> > > On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote:
> > > > On 20/09/16 12:06, Leo Famulari wrote:
> > > > > Ruby users,
> > > > >
> > > > > There is a bug report on Ruby's OpenSSL module regarding IV re-use in
> > > > > AES-GCM mode [0].
> > > > >
> > > > > Does anyone volunteer to investigate the bug report and decide what to
> > > > > do about it for our Ruby package?
> > > > Thanks for the report Leo.  I don't think much can be done about this until
> > > > a fix is released, no? It is unfortunately been around since March on that
> > > > GitHub page, hopefully the report on oss-sec will spur some action.
> > > Okay, do you volunteer to track this bug upstream? :)
> > Sure, OK.
> Ping :)
>
> The Ruby developers have committed a fix, apparently:
>
> http://seclists.org/oss-sec/2016/q3/680

Thanks for keeping on top of this. The difficulty is that the fix 
released is not for the bundled openssl that comes with ruby itself, but 
a separate repository.

There is a 'ruby_2_3 branch'[0] where fixes are backported. Do you think 
it would make sense to have a 'ruby-2.3-backports' package as a 
replacement for the 'ruby-2.3' package which tracks the 'ruby_2_3' 
branch? I see there are other fixes in there that probably have security 
implications.

The issue at hand has not yet been backported though, and the patch for 
fixing it does not apply to either the released 2.3.1 or even the 
backport branch. So, we wait, I think. I suspect that my trying to 
backport the patch myself is likely to do more harm than good. WDYT?

ben

[0]: https://github.com/ruby/ruby/tree/ruby_2_3