Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 Jul 2014 17:01:09 +0000
From: Ramon de C Valle <rdecvalle@...are.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: Tomas Hoger <thoger@...hat.com>, Murray McAllister <mmcallis@...hat.com>
Subject: Re: [ruby-core:63604] [ruby-trunk - Bug #10019]
 [Open] segmentation fault/buffer overrun in pack.c (encodes)

The fix for the (off-by-one) issue was added in https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/46778. Is MITRE or Red Hat going to assign a CVE for it?

On Jul 10, 2014, at 8:12 PM, Ramon de C Valle <rdecvalle@...are.com> wrote:

> 
> On Jul 10, 2014, at 6:59 PM, Ramon de C Valle <rdecvalle@...are.com> wrote:
> 
>> Hi Thomas, Murray,
>> 
>> On Jul 10, 2014, at 7:43 AM, Tomas Hoger <thoger@...hat.com> wrote:
>> 
>>> On Wed, 9 Jul 2014 15:45:10 +0000 Ramon de C Valle wrote:
>>> 
>>>> I believe this should have a CVE assigned.
>>> 
>>> Can you post more details of your analysis of the issue to clarify what
>>> the issue is here?
>> From https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/issues/10019&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=INlQZCdbEhwoZYUL%2FLXSUVHqBdVmMPauC0BH2SHpGhA%3D%0A&s=9d9df67d0535cccd7b8572814df073ac1a01f871aa52ea4d8763008ea023da0c, it seems that you’ve figured it out already. Correct me if I’m wrong but, for Base64, a value of 3072 for len isn’t enough to cause the off-by-one as the while loop will terminate with the value of len being zero (and the value of i being 4092). However, if the value of len is either is 3073* or 3074*, the while loop will terminate with the value of len being 1 or 2 respectively (and the value of i being 4092), with one of the subsequent if/else if conditions evaluating to true, resulting in the off-by-one.
>> 
>> I see you’ve checked the template strings used by aws-sdk gem and its dependencies and they use ‘m0’ only, which rules out the possibility this off-by-one being caused by any of these gems. So, now I’m also not sure what the reporter is referring to.
>> 
>> *It is possible to pass non multiple of 3 values as the len parameter of encodes function by passing a string with length smaller than the count (/ 3 * 3) passed in the template string (see https://urldefense.proofpoint.com/v1/url?u=https://github.com/ruby/ruby/blob/trunk/pack.c%23L839&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=INlQZCdbEhwoZYUL%2FLXSUVHqBdVmMPauC0BH2SHpGhA%3D%0A&s=2eabd2924dd7e3efad12ddf21cba514da7ee0b384de6522507b5bf6af075d3a3).
> I just double checked it, and the correct values are 3069, 3070, and 3071. So, a value of 3069 is the value that isn’t enough to cause the off-by-one, and if the value of len is either 3070* or 3071*, the while loop will terminate with the value of len being 1 or 2 respectively (and the value of i being 4092), with one of the subsequent if/else if conditions evaluating to true (incrementing the value of i up to 4096), resulting in the off-by-one (at https://urldefense.proofpoint.com/v1/url?u=https://github.com/ruby/ruby/blob/trunk/pack.c%23L987&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=ljKHjUWYBr%2Fc7t%2BKryr94%2B7LLLONL1Rf7QS%2Fxy9eROU%3D%0A&s=65eded0326a18bc50fdb6558d76f7202a022d6ba9b1b9c5fbd42e745aea926ea), which matches the first case you’ve listed.
> 
> Anyway, whatever the reporter is referring to, he mentions it doesn't occur in 1.9.3, and looking at 1.9.3, the only related differences I immediately noticed are the absence of the check at https://urldefense.proofpoint.com/v1/url?u=https://github.com/ruby/ruby/blob/trunk/pack.c%23L829&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=ljKHjUWYBr%2Fc7t%2BKryr94%2B7LLLONL1Rf7QS%2Fxy9eROU%3D%0A&s=4a5d3231f93632eca6650e73c74f95cc3f77cc41b285eec815d902d922b07f6f in pack_pack function and padding being an int (instead of char) in the encodes function.
> 
>> 
>>> 
>>> -- 
>>> Tomas Hoger / Red Hat Security Response Team
>> 
>> --
>> Ramon de C Valle
>> VMware Product Security Engineering
> 
> --
> Ramon de C Valle
> VMware Product Security Engineering

--
Ramon de C Valle
VMware Product Security Engineering



Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ