Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 03 Oct 2012 14:41:17 -0600
From: Kurt Seifried <>
To: Tyler Hicks <>
Subject: Re: CVE Request: Ruby safe level bypasses

Hash: SHA1

On 10/03/2012 02:30 PM, Tyler Hicks wrote:
> On 2012-10-03 13:48:14, Kurt Seifried wrote:
>> On 10/02/2012 04:32 PM, Tyler Hicks wrote:
>>> Hello - Upstream Ruby has fixed[1] exception methods that 
>>> incorrectly allowed safe level bypasses. These bypasses
>>> allowed untainted strings to be modified by untrusted code in
>>> safe level 4.
>>> Note that the changes to exc_to_s() and name_err_to_s(), in 
>>> error.c, are similar to the fix for CVE-2011-1005, but the
>>> Ruby advisory[2] made it clear that Ruby 1.9.x was not affected
>>> by CVE-2011-1005. It turns out that the vulnerability was
>>> later reintroduced to Ruby's trunk in revision 29456. Ruby
>>> 1.9.3-p0 and later is affected.
>>> While Shugo Maeda was fixing the issue above, he noticed that 
>>> name_err_mesg_to_str() had a similar flaw. Ruby 1.8.x, along
>>> with 1.9.3-p0 and later is affected.
>>> I believe that these issues need two separate CVEs. Both
>>> issues are fixed in the same upstream patch[1]. Could you
>>> please allocate ids?
>>> Thanks, Tyler
>>> [1] 
Please use CVE-2012-4464 for this issue.
> Hi Kurt - I think that two CVE ids are needed here.
> All issues are fixed in the same upstream patch but some issues in
> that patch affect different versions. I'll use the notation from
> "CVE Abstraction Content Decisions: Rationale and Application" to
> describe how I see it:
> S1: The vulnerability found in exc_to_s() S2: The vulnerability
> found in name_err_to_s() S3: The vulnerability found in
> name_err_mesg_to_str()
> S1, S2 and S3 are the same type of bug. S1 and S2 appear in the
> same versions (1.9.3-p0 and newer), so MERGE them. S3 appears in
> 1.8.x, as well as 1.9.3-p0 and newer, so SPLIT it from S1 and S2.

And this is why I should probably be more aggressive about asking for
commits to be broken out by software version if multiple versions are
affected =).

Ok let's continue to use CVE-2012-4464 for the exc_to_s() and
name_err_to_s() issues which affect 1.9.3-p0 and newer.

For name_err_mesg_to_str() which affects both 1.9.3-p0 and newer and
1.8.x please use CVE-2012-4466.

> Tyler

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ