View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002864Kali LinuxKali Package Bugpublic2015-11-24 07:422020-12-01 10:48
Reporterjustinsteven Assigned Torhertzog  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.0 
Fixed in Version2016.1 
Summary0002864: missing ruby-eventmachine patch, reportedly security-sensitive (select-related stack smashing)
Description

Debian Jessie and Wheezy's ruby-eventmachine packages (1.0.3-6+b2 and 0.12.10-3 respectively) are missing patches for what is said by their upstream to be a remotely exploitable
security issue - see https://github.com/eventmachine/eventmachine/issues/501#issuecomment-37307556

The bug was fixed in https://github.com/eventmachine/eventmachine/pull/502 which introduced a memory leak which was fixed in
https://github.com/eventmachine/eventmachine/pull/586

We are seeing stack smashing occur in Kali's beef when configured to use IPv6. See https://github.com/beefproject/beef/issues/1187

Kali Sana's ruby-eventmachine seems to be the same as that of Debian Jessie. Does it track Jessie, and will it automatically get an update from Debian? Alternatively, Debian Stretch's package seems to be patched, though I'm not sure if tracking it and attempting the version jump would break all the things.

An issue on the Debian BTS that is suspected to be related has been bumped - see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678512#26

<[email protected]> has been pinged.

Activities

justinsteven

justinsteven

2015-11-24 07:48

reporter   ~0004270

Sorry, it got lost in my copy-paste-juggle-words that I believe the BeEF crashes are likely related to this eventmachine bug
rhertzog

rhertzog

2015-11-24 08:53

administrator   ~0004271

Note that the next version of Kali (based on kali-rolling) is based on testing/stretch so should have a correct version of ruby-eventmachine.

And for sana, it basically tracks jessie for security updates, so if the package gets updated in security.debian.org then it will reach security.kali.org as well.

Basically, I don't think we have to do anything right now. Just wait until the fix is merged into Debian.
rhertzog

rhertzog

2016-01-22 08:54

administrator   ~0004553

Kali Rolling 2016.1 has been released and has a newer ruby-eventmachine.

Issue History

Date Modified Username Field Change
2015-11-24 07:42 justinsteven New Issue
2015-11-24 07:48 justinsteven Note Added: 0004270
2015-11-24 08:53 rhertzog Note Added: 0004271
2015-12-04 22:29 alexhj451 Issue cloned: 0002900
2016-01-22 08:54 rhertzog Note Added: 0004553
2016-01-22 08:54 rhertzog Status new => resolved
2016-01-22 08:54 rhertzog Fixed in Version => 2016.1
2016-01-22 08:54 rhertzog Resolution open => fixed
2016-01-22 08:54 rhertzog Assigned To => rhertzog
2020-12-01 10:48 g0tmi1k Priority high => normal