oss-sec mailing list archives
Re: CVE Request: Ruby safe level bypasses
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 03 Oct 2012 13:48:14 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/02/2012 04:32 PM, Tyler Hicks wrote:
Hello - Upstream Ruby has fixed[1] exception methods that incorrectly allowed safe level bypasses. These bypasses allowed untainted strings to be modified by untrusted code in safe level 4. Note that the changes to exc_to_s() and name_err_to_s(), in error.c, are similar to the fix for CVE-2011-1005, but the Ruby advisory[2] made it clear that Ruby 1.9.x was not affected by CVE-2011-1005. It turns out that the vulnerability was later reintroduced to Ruby's trunk in revision 29456. Ruby 1.9.3-p0 and later is affected. While Shugo Maeda was fixing the issue above, he noticed that name_err_mesg_to_str() had a similar flaw. Ruby 1.8.x, along with 1.9.3-p0 and later is affected. I believe that these issues need two separate CVEs. Both issues are fixed in the same upstream patch[1]. Could you please allocate ids? Thanks, Tyler [1] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
[2] http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
Please use CVE-2012-4464 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQbJZ+AAoJEBYNRVNeJnmTKVwP/AwS0w4x1fIIUZ4oakCOL04s PDhRjSxppmJK3v4hXsTgXlIrb3Le0cOw0equzs07f87OBRC2Tm05Xai2Xx3a9iFZ Sa/fdR9+LSSpg8NCULvXArZYW/mOLNLFXJ7XJSK3cttOdAKb99vKnaX/nuLigFMu hnmr9+qES/rwkUiRQeik6OPNldYiQX3HxZ+ORoyCnDOx0hhX7YoV7fbGl8q2vEaQ VER+epOX2eIiYjSuyCSbUhRYt4httanoDqGUPZYnpITNs2MIrEOsrxizePnZ2RZd LjM7NilP+tGcOT9ilc6AxO/jvPGcAHARcg+s3EchTsO98ui9cn2GejyYvRHZE7Kz cQd46bQs2xigL69s/s6wA/PSTFFYrfxc0hh3pOlO3Bw44Aajz0/sKCNDeJao9+dx iD2vC3Umezv98Zrdw7wRx4kfp1Fu9Rrjl5cDMTBrsfEV26wVAlQGmaO8FljAhdAQ nFcY9rxoETeSOdhXkl9gi/J31NJ4B5F64cTUI1vNnO+X0ujxFtnftUgUykCq19Ne aTCwrrch4BUsAcwoEtBzpHMrhsnF4oeHGV0Pz2Q7yGe+bc1if4KV0GoT2jUSn8ye AbGNSwNKDSYZHRNChjbu1+Pjr3mgs9ftg2dZUdLDUqlLKhbSUlcwXvPBPYn8OWdU b/Wmxe0vimxCE5mD50gP =JCMw -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Ruby safe level bypasses Tyler Hicks (Oct 02)
- Re: CVE Request: Ruby safe level bypasses Kurt Seifried (Oct 03)
- Re: CVE Request: Ruby safe level bypasses Tyler Hicks (Oct 03)
- Re: CVE Request: Ruby safe level bypasses Kurt Seifried (Oct 03)
- Re: CVE Request: Ruby safe level bypasses Tyler Hicks (Oct 03)
- Re: CVE Request: Ruby safe level bypasses Kurt Seifried (Oct 03)