Bug 10135 - ruby new security issue CVE-2013-2065
: ruby new security issue CVE-2013-2065
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/551067/
: has_procedure mga3-64-OK mga3-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-05-17 20:01 CEST by David Walser
Modified: 2013-05-25 21:52 CEST (History)
3 users (show)

See Also:
Source RPM: ruby-1.9.3.p429-1.mga3
CVE:
Status comment:


Attachments

Description David Walser 2013-05-17 20:01:06 CEST
Slackware has issued an advisory on May 16:
http://lwn.net/Alerts/551054/

Mageia 2 is not affected (ruby 1.8 not affected).

The issue is fixed in 1.9.3 p426:
http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/

Reproducible: 

Steps to Reproduce:
Comment 1 Funda Wang 2013-05-18 18:43:48 CEST
Wait until mga3 released.

I'll likely propose ruby 2.0 for mga4.
Comment 2 Funda Wang 2013-05-23 22:57:33 CEST
Please test ruby-1.9.3.p429-1.mga3
Comment 3 claire robinson 2013-05-24 15:44:16 CEST
Funda could you remember to add info for QA please.

SRPM: ruby-1.9.3.p429-1.mga3.src.rpm
------------------------------------
lib(64)ruby1.9
ruby-doc
ruby-irb
ruby
ruby-tk
ruby-devel


Testing complete mga3 64

PoC for CVE-2013-2065: 
http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065

Before
------
Needs requires adding to the scripts, so..

require 'dl'
require 'dl/import'
def my_function(user_input)
  handle    = DL.dlopen(nil)
  sys_cfunc = DL::CFunc.new(handle['system'], DL::TYPE_INT, 'system')
  sys       = DL::Function.new(sys_cfunc, [DL::TYPE_VOIDP])
  sys.call user_input
end

$SAFE = 1
my_function "uname -rs".taint

When run in irb it outputs..
irb(main):011:0> my_function "uname -rs".taint
Linux 3.8.13-desktop-1.mga3
=> 0

Also, for fiddle, adding require 'fiddle'..

require 'fiddle'
def my_function(user_input)
  handle    = DL.dlopen(nil)
  sys = Fiddle::Function.new(handle['system'],
                             [Fiddle::TYPE_VOIDP], Fiddle::TYPE_INT)
  sys.call user_input
end

$SAFE = 1
my_function "uname -rs".taint

Outputs..
irb(main):010:0> my_function "uname -rs".taint
Linux 3.8.13-desktop-1.mga3
=> 0


After
-----

Using the same scripts in irb

irb(main):011:0> my_function "uname -rs".taint
SecurityError: tainted parameter not allowed
        from /usr/share/ruby/dl/func.rb:92:in `call'
        from /usr/share/ruby/dl/func.rb:92:in `call'
        from (irb):7:in `my_function'
        from (irb):11
        from /usr/bin/irb:12:in `<main>'

And..

irb(main):010:0> my_function "uname -rs".taint
SecurityError: tainted parameter not allowed
        from (irb):6:in `call'
        from (irb):6:in `my_function'
        from (irb):10
        from /usr/bin/irb:12:in `<main>'


So CVE is confirmed and is now closed.
Comment 4 claire robinson 2013-05-24 16:57:33 CEST
Testing complete mga3 32

Validating

SRPM: ruby-1.9.3.p429-1.mga3.src.rpm

Advisory TBC

Could sysadmin please push from 3 core/updates_testing to core/updates when the advisory has been added.

Thanks!
Comment 5 David Walser 2013-05-24 17:16:36 CEST
Advisory:
========================

Updated ruby packages fix security vulnerability:

Vulnerability in DL and Fiddle in Ruby before 1.9.3p429 where tainted strings
can be used by system calls regardless of the $SAFE level set in Ruby. Native
functions exposed to Ruby with DL or Fiddle do not check the taint values set
on the objects passed in. This can result in tainted objects being accepted
as input when a SecurityError exception should be raised (CVE-2013-2065).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2065
http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/
Comment 6 Thomas Backlund 2013-05-25 21:52:34 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0155

Note You need to log in before you can comment on or make changes to this bug.