Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [month] [year] [list] 
Date: Mon, 30 Jun 2008 17:54:01 -0400
From: Jamie Strandboge <jamie@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: patch sets for recent ruby vulnerabilities

Passing this along from the ruby developers. I asked for comments
regarding the regressions, but did not get any, but the commit to
string.c on 2008/06/22 (ie after the announcement) is probably part of
that. These commits are what I thought were the commits, but there was
so much confusion at [1] and [2] that I went straight to the developers
for confirmation.

Hope this helps.

Jamie

[1] http://www.ruby-forum.com/topic/157034
[2] http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities

On Wed, 25 Jun 2008, Shugo Maeda wrote:

> Hello,
> 
> 2008/6/25 Jamie Strandboge <jamie@...onical.com>:
> > Can you provide more details on the vulnerabilities as well as what files
> > and commits pertain to these issues? If you don't mind, I would like to
> > forward this information to the vendor-sec mailing list as well, so the
> > other vendors can patch their distributions.
> 
> The following commits pertain to the vulnerabilities.  The SVN repository
> is at http://svn.ruby-lang.org/repos/ruby/.
> Please forward this information to the vendor-sec.
> 
> ------------------------------------------------------------------------
> r17530 | nobu | 2008-06-22 07:16:45 +0900 (Sun, 22 Jun 2008) | 2 lines
> Changed paths:
>    M /branches/ruby_1_8/ChangeLog
>    M /branches/ruby_1_8/string.c
> 
> * string.c (str_buf_cat): check for self concatenation.
> 
> ------------------------------------------------------------------------
> r17483 | nobu | 2008-06-20 18:16:03 +0900 (Fri, 20 Jun 2008) | 2 lines
> Changed paths:
>    M /branches/ruby_1_8/ChangeLog
>    M /branches/ruby_1_8/string.c
> 
> * string.c (rb_str_buf_append): should infect.
> 
> ------------------------------------------------------------------------
> r17472 | nobu | 2008-06-20 15:42:07 +0900 (Fri, 20 Jun 2008) | 5 lines
> Changed paths:
>    M /branches/ruby_1_8/array.c
>    M /branches/ruby_1_8/string.c
>    M /trunk/array.c
>    M /trunk/string.c
> 
> * array.c (rb_ary_store, rb_ary_splice): not depend on unspecified
>   behavior at integer overflow.
> 
> * string.c (str_buf_cat): ditto.
> 
> ------------------------------------------------------------------------
> r17471 | nobu | 2008-06-20 15:40:10 +0900 (Fri, 20 Jun 2008) | 5 lines
> Changed paths:
>    M /branches/ruby_1_8/ChangeLog
>    M /trunk/ChangeLog
> 
> * array.c (rb_ary_store, rb_ary_splice): not depend on unspecified
>   behavior at integer overflow.
> 
> * string.c (str_buf_cat): ditto.
> 
> ------------------------------------------------------------------------
> r17460 | shyouhei | 2008-06-20 08:12:46 +0900 (Fri, 20 Jun 2008) | 13 lines
> Changed paths:
>    M /branches/ruby_1_8/ChangeLog
>    M /branches/ruby_1_8/array.c
>    M /branches/ruby_1_8/intern.h
>    M /branches/ruby_1_8/sprintf.c
>    M /branches/ruby_1_8/string.c
>    M /branches/ruby_1_8_5/ChangeLog
>    M /branches/ruby_1_8_5/array.c
>    M /branches/ruby_1_8_5/intern.h
>    M /branches/ruby_1_8_5/sprintf.c
>    M /branches/ruby_1_8_5/string.c
>    M /branches/ruby_1_8_5/version.h
>    M /branches/ruby_1_8_6/ChangeLog
>    M /branches/ruby_1_8_6/array.c
>    M /branches/ruby_1_8_6/intern.h
>    M /branches/ruby_1_8_6/sprintf.c
>    M /branches/ruby_1_8_6/string.c
>    M /branches/ruby_1_8_6/version.h
>    M /branches/ruby_1_8_7/ChangeLog
>    M /branches/ruby_1_8_7/array.c
>    M /branches/ruby_1_8_7/intern.h
>    M /branches/ruby_1_8_7/sprintf.c
>    M /branches/ruby_1_8_7/string.c
>    M /branches/ruby_1_8_7/version.h
>    M /trunk/ChangeLog
>    M /trunk/array.c
>    M /trunk/string.c
> 
> * array.c (ary_new, rb_ary_initialize, rb_ary_store,
>   rb_ary_aplice, rb_ary_times): integer overflows should be
>   checked. based on patches from Drew Yao <ayao at apple.com>
>   fixed CVE-2008-2726
> 
> * string.c (rb_str_buf_append): fixed unsafe use of alloca,
>   which led memory corruption. based on a patch from Drew Yao
>   <ayao at apple.com> fixed CVE-2008-2726
> 
> * sprintf.c (rb_str_format): backported from trunk.
> 
> * intern.h: ditto.
> 
> 
> -- 
> Shugo Maeda

-- 
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux