oss-sec mailing list archives
Re: CVE Request -- ruby (1.8.x with patched CVE-2011-1005): Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 05 Oct 2012 12:37:52 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/05/2012 09:26 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, Originally, Common Vulnerabilities and Exposures assigned an identifier of CVE-2011-1005 to the following vulnerability: The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. with the following upstream patch: [1] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?revision=30903&view=revision Based on later upstream patch for different (CVE-2012-4464 and CVE-2012-4466) issues: [2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 it was found that original upstream 1.8.x ruby patch for CVE-2011-1005 issue was not complete, when the NameError#to_s() method was used on / with Ruby objects (the test logic in 'test_to_s_taintness_propagation' test from [1] was actually reversed {Hint: Compare the test for Ruby Object cases in both [1] and [2]}, so the test returned success also on still vulnerable instances). A different vulnerability than CVE-2011-1005, CVE-2012-4464, and CVE-2012-4466. References: [3] https://bugzilla.redhat.com/show_bug.cgi?id=863484 This issue was discovered by Vit Ondruch of Red Hat. Ruby Security Team previously in a private email to Vit confirmed (still) presence of this issue on ruby 1.8.7 versions and provided a patch for it: <snip> The behavior of SVN trunk is correct. The fix for CVE-2011-1005 was insufficient, and NameError#to_s has a problem in 1.8.7. Please apply the attached patch for 1.8.7. -- Shugo Maeda error.c.diff --- error.c.orig 2012-10-04 23:26:42.000611741 +0900 +++ error.c 2012-10-04 23:26:48.960524245 +0900 @@ -665,9 +665,6 @@ if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); StringValue(str); - if (str != mesg) { - OBJ_INFECT(str, mesg); - } return str; } </snip> Could you allocate a CVE identifier to this (for those package versions, which have applied patch for originally CVE-2011-1005 already)? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Please use CVE-2012-4481 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQbyj/AAoJEBYNRVNeJnmTMPQP/3pDiCaUQvrdqkVC6rEPwbzW MUjNOnIvH01fejHXimrMy12sL+T1gq/jz9wwbspFI/iDenUl2US0K91Wy3PUk6FU 3K6e2V5G4cN8/8Oqz2IE5gDsYJBMyrE4P5zXJocScRC1ZAOnBHASHOb88LQCa+dR 9MW5/+G/RlocRKQhLmugN7xlewRxKlOhYBL4Vl5FM0xxeLBvEdKO9FDilp0HyEoC EuMh3oc0xJDlc8HzUa1tlAswhhpkWAxJP8VkGwGl1sUMkn5p4DVyJH3hylXTq+rd bmXTVhpj3hlmygvxq1dQllvP/e6MLWPbuPbn0Hxt0hJwXP4mW0kGYdu0hr+u4EVR eoFzy8/fuiutKg2BH9tzYygQr2jJAfg6dKQBX6OQSNpM+tgPEw6HqZMUBJeGr+Ie ZrnnlUhtS3qHmvb/B5EzLJq/OytmlHPvvPKUjqSo6P4IvTjvGYOf9AoTFMpUEhK9 Ll8dACNJOo57frqIzohshkCrXXHFXvLKBMk0wLPbc2CCEXMeGaqYijEhHpg/pNDS NAmSmhRWU5obK1G1jDR7zmjle6TsEzCJF19W+If2eTNLBUeGyI6N+N3VK9bn23rI 7HVRTPnFxuuxsF5nUlybixLP/eBDnfpgdlEVZ8tcRhljtVKfReo0P0Qolv1HbRKC i2h3TGe65Q6nnZ0WP0Lz =5BI3 -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- ruby (1.8.x with patched CVE-2011-1005): Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects Jan Lieskovsky (Oct 05)
- Re: CVE Request -- ruby (1.8.x with patched CVE-2011-1005): Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects Kurt Seifried (Oct 05)