oss-sec mailing list archives

CVE Request -- ruby (1.8.x with patched CVE-2011-1005): Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 5 Oct 2012 11:26:14 -0400 (EDT)

Hello Kurt, Steve, vendors,

  Originally, Common Vulnerabilities and Exposures assigned
an identifier of CVE-2011-1005 to the following vulnerability:

The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7
through 1.8.7-330, and 1.8.8dev allows context-dependent
attackers to modify strings via the Exception#to_s method,
as demonstrated by changing an intended pathname.

with the following upstream patch:
[1] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?revision=30903&view=revision

Based on later upstream patch for different (CVE-2012-4464 and CVE-2012-4466) issues:
[2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068

it was found that original upstream 1.8.x ruby patch for CVE-2011-1005
issue was not complete, when the NameError#to_s() method was used on /
with Ruby objects (the test logic in 'test_to_s_taintness_propagation'
test from [1] was actually reversed {Hint: Compare the test for Ruby
Object cases in both [1] and [2]}, so the test returned success also
on still vulnerable instances).

A different vulnerability than CVE-2011-1005, CVE-2012-4464, and CVE-2012-4466.

References:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=863484

This issue was discovered by Vit Ondruch of Red Hat.

Ruby Security Team previously in a private email to Vit confirmed
(still) presence of this issue on ruby 1.8.7 versions and provided
a patch for it:
<snip>
The behavior of SVN trunk is correct.

The fix for CVE-2011-1005 was insufficient, and NameError#to_s has a
problem in 1.8.7.

Please apply the attached patch for 1.8.7.

-- Shugo Maeda

error.c.diff

--- error.c.orig        2012-10-04 23:26:42.000611741 +0900
+++ error.c     2012-10-04 23:26:48.960524245 +0900
@@ -665,9 +665,6 @@
 
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
     StringValue(str);
-    if (str != mesg) {
-       OBJ_INFECT(str, mesg);
-    }
     return str;
 }

</snip>

Could you allocate a CVE identifier to this (for those package versions,
which have applied patch for originally CVE-2011-1005 already)?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- ruby (1.8.x with patched CVE-2011-1005): Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects Jan Lieskovsky (Oct 05)
- Re: CVE Request -- ruby (1.8.x with patched CVE-2011-1005): Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects Kurt Seifried (Oct 05)