oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: patch sets for recent ruby vulnerabilities

From: Jamie Strandboge <jamie () canonical com>
Date: Mon, 30 Jun 2008 17:54:01 -0400
Passing this along from the ruby developers. I asked for comments
regarding the regressions, but did not get any, but the commit to
string.c on 2008/06/22 (ie after the announcement) is probably part of
that. These commits are what I thought were the commits, but there was
so much confusion at [1] and [2] that I went straight to the developers
for confirmation.

Hope this helps.

Jamie

[1] http://www.ruby-forum.com/topic/157034
[2] http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities

On Wed, 25 Jun 2008, Shugo Maeda wrote:


Hello,

2008/6/25 Jamie Strandboge <jamie () canonical com>:

Can you provide more details on the vulnerabilities as well as what files
and commits pertain to these issues? If you don't mind, I would like to
forward this information to the vendor-sec mailing list as well, so the
other vendors can patch their distributions.


The following commits pertain to the vulnerabilities.  The SVN repository
is at http://svn.ruby-lang.org/repos/ruby/.
Please forward this information to the vendor-sec.

------------------------------------------------------------------------
r17530 | nobu | 2008-06-22 07:16:45 +0900 (Sun, 22 Jun 2008) | 2 lines
Changed paths:
   M /branches/ruby_1_8/ChangeLog
   M /branches/ruby_1_8/string.c

* string.c (str_buf_cat): check for self concatenation.

------------------------------------------------------------------------
r17483 | nobu | 2008-06-20 18:16:03 +0900 (Fri, 20 Jun 2008) | 2 lines
Changed paths:
   M /branches/ruby_1_8/ChangeLog
   M /branches/ruby_1_8/string.c

* string.c (rb_str_buf_append): should infect.

------------------------------------------------------------------------
r17472 | nobu | 2008-06-20 15:42:07 +0900 (Fri, 20 Jun 2008) | 5 lines
Changed paths:
   M /branches/ruby_1_8/array.c
   M /branches/ruby_1_8/string.c
   M /trunk/array.c
   M /trunk/string.c

* array.c (rb_ary_store, rb_ary_splice): not depend on unspecified
  behavior at integer overflow.

* string.c (str_buf_cat): ditto.

------------------------------------------------------------------------
r17471 | nobu | 2008-06-20 15:40:10 +0900 (Fri, 20 Jun 2008) | 5 lines
Changed paths:
   M /branches/ruby_1_8/ChangeLog
   M /trunk/ChangeLog

* array.c (rb_ary_store, rb_ary_splice): not depend on unspecified
  behavior at integer overflow.

* string.c (str_buf_cat): ditto.

------------------------------------------------------------------------
r17460 | shyouhei | 2008-06-20 08:12:46 +0900 (Fri, 20 Jun 2008) | 13 lines
Changed paths:
   M /branches/ruby_1_8/ChangeLog
   M /branches/ruby_1_8/array.c
   M /branches/ruby_1_8/intern.h
   M /branches/ruby_1_8/sprintf.c
   M /branches/ruby_1_8/string.c
   M /branches/ruby_1_8_5/ChangeLog
   M /branches/ruby_1_8_5/array.c
   M /branches/ruby_1_8_5/intern.h
   M /branches/ruby_1_8_5/sprintf.c
   M /branches/ruby_1_8_5/string.c
   M /branches/ruby_1_8_5/version.h
   M /branches/ruby_1_8_6/ChangeLog
   M /branches/ruby_1_8_6/array.c
   M /branches/ruby_1_8_6/intern.h
   M /branches/ruby_1_8_6/sprintf.c
   M /branches/ruby_1_8_6/string.c
   M /branches/ruby_1_8_6/version.h
   M /branches/ruby_1_8_7/ChangeLog
   M /branches/ruby_1_8_7/array.c
   M /branches/ruby_1_8_7/intern.h
   M /branches/ruby_1_8_7/sprintf.c
   M /branches/ruby_1_8_7/string.c
   M /branches/ruby_1_8_7/version.h
   M /trunk/ChangeLog
   M /trunk/array.c
   M /trunk/string.c

* array.c (ary_new, rb_ary_initialize, rb_ary_store,
  rb_ary_aplice, rb_ary_times): integer overflows should be
  checked. based on patches from Drew Yao <ayao at apple.com>
  fixed CVE-2008-2726

* string.c (rb_str_buf_append): fixed unsafe use of alloca,
  which led memory corruption. based on a patch from Drew Yao
  <ayao at apple.com> fixed CVE-2008-2726

* sprintf.c (rb_str_format): backported from trunk.

* intern.h: ditto.


-- 
Shugo Maeda


-- 
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

Attachment: signature.asc
Description: Digital signature

Previous By Date Next
Previous By Thread Next

Current thread: