Bug 9227

Summary: ruby-ruby_parser new security issue CVE-2013-0162
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Funda Wang <fundawang>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cmrisolde, fundawang, qa-bugs, shikamaru
Version: 2   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/540755/
Whiteboard: feedback
Source RPM: ruby-ruby_parser-2.0.6-1.mga1.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 6487    

Description David Walser 2013-03-01 16:56:31 CET 
RedHat has issued an advisory on February 28:
https://rhn.redhat.com/errata/RHSA-2013-0582.html

Patched packages uploaded for Mageia 2 and Cauldron.


Advisory:
========================

Updated ruby-ruby_parser packages fix security vulnerability:

It was found that ruby_parser from rubygem-ruby_parser created a temporary
file in an insecure way. A local attacker could use this flaw to perform a
symbolic link attack, overwriting arbitrary files accessible to the
application using ruby_parser (CVE-2013-0162).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0162
https://rhn.redhat.com/errata/RHSA-2013-0582.html
========================

Updated packages in core/updates_testing:
========================
ruby-ruby_parser-2.0.6-1.1.mga2
ruby-ruby_parser-doc-2.0.6-1.1.mga2

from ruby-ruby_parser-2.0.6-1.1.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-03-01 16:56:57 CET

Blocks: (none) => 6487

Comment 1 claire robinson 2013-03-02 23:56:25 CET 
I don't think this is working

Before
------
$ irb
irb(main):001:0> require 'ruby_parse'
LoadError: no such file to load -- ruby_parse
        from (irb):1:in `require'
        from (irb):1
        from :0
irb(main):002:0> require 'ruby_parser'
LoadError: no such file to load -- ruby_parser
        from (irb):2:in `require'
        from (irb):2
        from :0
irb(main):003:0> quit

$ rpm -q ruby-ruby_parser
ruby-ruby_parser-2.0.6-1.mga1

After
-----
$ irb
irb(main):001:0> require 'ruby_parser'
LoadError: no such file to load -- ruby_parser
        from (irb):1:in `require'
        from (irb):1
        from :0
irb(main):002:0> quit

$ rpm -q ruby-ruby_parser
ruby-ruby_parser-2.0.6-1.1.mga2

Congratulations to misc for finding the vulnerability.
Comment 2 claire robinson 2013-03-02 23:57:37 CET 
A couple of links to help with testing.

http://blog.rubybestpractices.com/posts/judofyr/sexp-for-rubyists.html

Also one for ruby-ruby2ruby which requires it
http://docs.seattlerb.org/ruby2ruby/
claire robinson 2013-03-02 23:58:43 CET

Whiteboard: (none) => feedback

David Walser 2013-03-03 00:01:12 CET

CC: (none) => shikamaru

David Walser 2013-03-03 00:01:21 CET

CC: (none) => fundawang

Comment 3 Carolyn Rowse 2013-03-03 22:23:30 CET 
You need racc as well according to the docs.

I still couldn't get it to work using the first link above.
This page is much better:
http://ujihisa.blogspot.co.uk/2009/07/parsers-around-ruby.html

I seem to be able to get it to work before updating, so is it just a matter of checking it still works after updating?  If so, I'll try to do it tomorrow.

Carolyn

CC: (none) => isolde

Comment 4 claire robinson 2013-03-04 09:57:21 CET 
rubygems will download the gem and use that rather than the packaged version Carolyn.

Tried x86_64

$ gem list

*** LOCAL GEMS ***

atk (1.0.3)
cairo (1.10.2)
gdk_pixbuf2 (1.0.3)
glib2 (1.0.3)
gtk2 (1.0.3)
msgpack (0.4.6)
pango (1.0.3)
pkg-config (1.1.0)
ruby_parser (2.0.6)
sexp_processor (3.0.5)

$ irb
irb(main):001:0> require 'ruby_parser'
LoadError: no such file to load -- ruby_parser
        from (irb):1:in `require'
        from (irb):1
        from :0
Comment 5 claire robinson 2013-03-04 10:23:44 CET 
$ strace -o strace.out irb
irb(main):001:0> require 'ruby_parser'
LoadError: no such file to load -- ruby_parser
        from (irb):1:in `require'
        from (irb):1
        from :0
irb(main):002:0> quit

$ grep parse strace.out
stat("/usr/lib/ruby/site_ruby/1.8/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/1.8/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux-gnu/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux-gnu/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/site_ruby/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/vendor_ruby/1.8/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/vendor_ruby/1.8/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/vendor_ruby/1.8/x86_64-linux/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/vendor_ruby/1.8/x86_64-linux/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/vendor_ruby/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/vendor_ruby/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/1.8/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/1.8/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/1.8/x86_64-linux/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/1.8/x86_64-linux/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/1.8/x86_64-linux-gnu/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ruby/1.8/x86_64-linux-gnu/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("./ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)
stat("./ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory)

$ urpmf ruby-ruby_parser:
ruby-ruby_parser:/usr/bin/ruby_parse
ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6
ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/bin
ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/bin/ruby_parse
ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib
ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib/gauntlet_rubyparser.rb
ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib/ruby_lexer.rb
ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib/ruby_parser.rb
ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib/ruby_parser.y
ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib/ruby_parser_extras.rb
ruby-ruby_parser:/usr/lib/ruby/gems/1.8/specifications/ruby_parser-2.0.6.gemspec
Comment 6 Carolyn Rowse 2013-03-16 20:58:02 CET 
How about this?

[carolyn@localhost ~]$ irb
irb(main):001:0> require '/usr/lib/ruby/site_ruby/1.8/rubygems.rb'
=> true
irb(main):002:0> require '/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib/ruby_parser.rb'
=> true
irb(main):003:0> require 'pp'
=> true
irb(main):004:0> pp RubyParser.new.parse(<<-EOF)
irb(main):005:1" def plus_five(n)
irb(main):006:1"   n + 5
irb(main):007:1" end
irb(main):008:1" EOF
s(:defn,
 :plus_five,
 s(:args, :n),
 s(:scope, s(:block, s(:call, s(:lvar, :n), :+, s(:arglist, s(:lit, 5))))))
=> nil


Carolyn
Comment 7 claire robinson 2013-03-20 12:36:22 CET 
Not sure if this is a problem with irb or with ruby-parser?

irb searches for the required gem in the wrong place, or the gem is being installed to the wrong place.

Funda/David any advice please.
Comment 8 claire robinson 2013-03-20 16:18:21 CET 
Some success.

IINM if the gem is installed then require "rubygems" is enough, without a require for the specific module.
Comment 9 claire robinson 2013-03-20 16:24:27 CET 
hrm no, I am mistaken
Comment 10 claire robinson 2013-04-17 21:13:03 CEST 
David I'm assigning this back to you, simply because I don't know who else to assign it to, sorry.

CC: (none) => qa-bugs
Assignee: qa-bugs => luigiwalser

Comment 11 David Walser 2013-04-17 21:57:16 CEST 
I know nothing.  Assigning to Funda.

Assignee: luigiwalser => fundawang

Comment 12 David Walser 2013-11-22 16:00:14 CET 
Closing this now due to Mageia 2 EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

Status: NEW => RESOLVED
Resolution: (none) => OLD