oss-sec mailing list archives
CVE Request -- ruby (1.8.x with patched CVE-2011-1005): Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 5 Oct 2012 11:26:14 -0400 (EDT)
Hello Kurt, Steve, vendors, Originally, Common Vulnerabilities and Exposures assigned an identifier of CVE-2011-1005 to the following vulnerability: The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. with the following upstream patch: [1] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?revision=30903&view=revision Based on later upstream patch for different (CVE-2012-4464 and CVE-2012-4466) issues: [2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 it was found that original upstream 1.8.x ruby patch for CVE-2011-1005 issue was not complete, when the NameError#to_s() method was used on / with Ruby objects (the test logic in 'test_to_s_taintness_propagation' test from [1] was actually reversed {Hint: Compare the test for Ruby Object cases in both [1] and [2]}, so the test returned success also on still vulnerable instances). A different vulnerability than CVE-2011-1005, CVE-2012-4464, and CVE-2012-4466. References: [3] https://bugzilla.redhat.com/show_bug.cgi?id=863484 This issue was discovered by Vit Ondruch of Red Hat. Ruby Security Team previously in a private email to Vit confirmed (still) presence of this issue on ruby 1.8.7 versions and provided a patch for it: <snip> The behavior of SVN trunk is correct. The fix for CVE-2011-1005 was insufficient, and NameError#to_s has a problem in 1.8.7. Please apply the attached patch for 1.8.7. -- Shugo Maeda error.c.diff --- error.c.orig 2012-10-04 23:26:42.000611741 +0900 +++ error.c 2012-10-04 23:26:48.960524245 +0900 @@ -665,9 +665,6 @@ if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); StringValue(str); - if (str != mesg) { - OBJ_INFECT(str, mesg); - } return str; } </snip> Could you allocate a CVE identifier to this (for those package versions, which have applied patch for originally CVE-2011-1005 already)? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- ruby (1.8.x with patched CVE-2011-1005): Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects Jan Lieskovsky (Oct 05)