Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 03 Oct 2012 14:41:17 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Tyler Hicks <tyhicks@...onical.com>
CC: oss-security@...ts.openwall.com, coley@...us.mitre.org,
        security@...ntu.com, security@...y-lang.org
Subject: Re: CVE Request: Ruby safe level bypasses

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/03/2012 02:30 PM, Tyler Hicks wrote:
> On 2012-10-03 13:48:14, Kurt Seifried wrote:
>> On 10/02/2012 04:32 PM, Tyler Hicks wrote:
>>> Hello - Upstream Ruby has fixed[1] exception methods that 
>>> incorrectly allowed safe level bypasses. These bypasses
>>> allowed untainted strings to be modified by untrusted code in
>>> safe level 4.
>>> 
>>> Note that the changes to exc_to_s() and name_err_to_s(), in 
>>> error.c, are similar to the fix for CVE-2011-1005, but the
>>> Ruby advisory[2] made it clear that Ruby 1.9.x was not affected
>>> by CVE-2011-1005. It turns out that the vulnerability was
>>> later reintroduced to Ruby's trunk in revision 29456. Ruby
>>> 1.9.3-p0 and later is affected.
>>> 
>>> While Shugo Maeda was fixing the issue above, he noticed that 
>>> name_err_mesg_to_str() had a similar flaw. Ruby 1.8.x, along
>>> with 1.9.3-p0 and later is affected.
>>> 
>>> I believe that these issues need two separate CVEs. Both
>>> issues are fixed in the same upstream patch[1]. Could you
>>> please allocate ids?
>>> 
>>> Thanks, Tyler
>>> 
>>> [1] 
>>> http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
>>>
>>>
>>
>>> 
[2]
>> http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
>>>
>>
>>
>> 
Please use CVE-2012-4464 for this issue.
> 
> Hi Kurt - I think that two CVE ids are needed here.
> 
> All issues are fixed in the same upstream patch but some issues in
> that patch affect different versions. I'll use the notation from
> "CVE Abstraction Content Decisions: Rationale and Application" to
> describe how I see it:
> 
> S1: The vulnerability found in exc_to_s() S2: The vulnerability
> found in name_err_to_s() S3: The vulnerability found in
> name_err_mesg_to_str()
> 
> S1, S2 and S3 are the same type of bug. S1 and S2 appear in the
> same versions (1.9.3-p0 and newer), so MERGE them. S3 appears in
> 1.8.x, as well as 1.9.3-p0 and newer, so SPLIT it from S1 and S2.

And this is why I should probably be more aggressive about asking for
commits to be broken out by software version if multiple versions are
affected =).

Ok let's continue to use CVE-2012-4464 for the exc_to_s() and
name_err_to_s() issues which affect 1.9.3-p0 and newer.

For name_err_mesg_to_str() which affects both 1.9.3-p0 and newer and
1.8.x please use CVE-2012-4466.

> Tyler
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQbKLtAAoJEBYNRVNeJnmT8GUQAMN+H6tTL92vO1zW9uxzz9Sr
laPfWzSVtoeiqmHCWoUO096Nt8UpRaXcO7bMTfI3hQkJyrpcx3U1NhCcDnHiiGCZ
eB3QWtzEcF1BeRmX9AsvzXbI+OGonCD8l7N0MfB1CXu1Wnb+oXUNbq7yeqMImCRU
EXXCa4KjIxUor7IUKoK5ye/V1E1LgYsc/mJgEHH3egX2J4eUAg+wa3yF/lQr+EQo
vxYAFSAKKHjIfP5lVYWSltcsQrcO4eHyXhJ7oV4S4CKfTF7R1O3l6Og5hLSei8tU
hZTtfErlQaTnVv9NH91IvcKd3oQh4JMR7MoqhOIbYSpyqVUHyqzYSjzg3J/AWpnG
s8RxRTt2wS5dyk/am90zPxjt0uHV2/l91d0moz88Z+FWI7wXy9aS0V7UG7J3mqIT
Umv2WJ97NNBLpQSM8BJBZSz7DPPjePOZQBsLY0dMvxSZdNAsmie/sK1YjL0NTw9w
rShUx2ZoGj6bpkfugpVLsyw8wfD6B+PJBN/4DRh3PlT20kJgF5xMPVnUPCDEZikU
HtbuM53r/LFNZT4xkCkZ3/KzQTj/LhSrtVmu1SqJWZAAOgANhezxxiAE/mrCHfmQ
3cX989BpeJixoWomEK1BsvPPeXmQWHssjHgUMJTke7bpecMRVBhGRMUIO/GAjih1
C19y0fl7OVTHH4G0RbrW
=jfkc
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.