oss-sec mailing list archives
Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129
From: Reed Loden <reed () reedloden com>
Date: Wed, 29 Jul 2015 14:48:17 -0700
On Tue, Jul 28, 2015 at 5:27 AM, <cve-assign () mitre org> wrote:
* DL::Function#call could pass tainted arguments to a C function even if $SAFE > 0.https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65eThese seem to be different issues than CVE-2008-3657.Please clarify what research you have done to reach this conclusion for the DL::Function#call issue. Finding information about vulnerabilities with different dates does not always mean that separate CVE IDs are used. For example, if a 2008 patch was ineffective in the sense that it did not actually fix any aspect of a CVE-2008-xxxx vulnerability, and then an effective patch and a new advisory were produced in 2009, the previously assigned CVE-2008-xxxx ID would continue to be used - there would not be a new CVE-2009-yyyy ID. The available information about CVE-2008-3657 includes the "Lack of taintness check in dl" section of https://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/ with "dl doesn't check taintness ... This vulnerability was reported by sheepman" and "Please upgrade to ... 1.8.7-p72." See the ftp://ftp.ruby-lang.org/pub/ruby/1.8/ archives. Comparing ext/dl/sym.c between p71 and p72 shows a new rb_check_safe_obj(pval) line in rb_dlsym_call. Comparing ext/dl/dl.c between p71 and p72 shows new instances of OBJ_INFECT, among other changes. The 2009 commit mentions "Patch by sheepman" and a change to a .rb file (no changes to any .c file). Is the 2009 issue a new issue because it is specific to a "tainted arguments to a C function" attack, and the 2008 patch correctly resolved the 2008 test case involving uname?
Sorry, not a Ruby developer, so not really able to give an authoritative answer here (cc'ing security () ruby-lang org to see if they can help). I am just trying to track all Ruby vulnerabilities for inclusion into https://github.com/rubysec/ruby-advisory-db, and I noticed those never had CVEs assigned (yet the Ruby devs considered them security issues). To help with this, here is the 2008 diff -- https://github.com/ruby/ruby/commit/48c7bb17de234f881b775128b354715ece973415 Hopefully, one of the Ruby core devs can jump in here and give a better answer. ~reed
Current thread:
- CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129 Reed Loden (Jul 28)
- Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129 cve-assign (Jul 28)
- Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129 Reed Loden (Jul 29)
- Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129 Jan Rusnacko (Jul 28)
- Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129 Reed Loden (Jul 29)
- Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129 cve-assign (Jul 28)