Date: Tue, 28 Jul 2015 08:27:24 -0400 (EDT) From: cve-assign@...re.org To: reed@...dloden.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We can assign an ID for one of these but we have a question about the other. > * DL::dlopen could open a library with tainted library name even if > $SAFE > 0 > https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b Use CVE-2009-5147. > * DL::Function#call could pass tainted arguments to a C function even if > $SAFE > 0. > https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65e > These seem to be different issues than CVE-2008-3657. Please clarify what research you have done to reach this conclusion for the DL::Function#call issue. Finding information about vulnerabilities with different dates does not always mean that separate CVE IDs are used. For example, if a 2008 patch was ineffective in the sense that it did not actually fix any aspect of a CVE-2008-xxxx vulnerability, and then an effective patch and a new advisory were produced in 2009, the previously assigned CVE-2008-xxxx ID would continue to be used - there would not be a new CVE-2009-yyyy ID. The available information about CVE-2008-3657 includes the "Lack of taintness check in dl" section of https://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/ with "dl doesn't check taintness ... This vulnerability was reported by sheepman" and "Please upgrade to ... 1.8.7-p72." See the ftp://ftp.ruby-lang.org/pub/ruby/1.8/ archives. Comparing ext/dl/sym.c between p71 and p72 shows a new rb_check_safe_obj(pval) line in rb_dlsym_call. Comparing ext/dl/dl.c between p71 and p72 shows new instances of OBJ_INFECT, among other changes. The 2009 commit mentions "Patch by sheepman" and a change to a .rb file (no changes to any .c file). Is the 2009 issue a new issue because it is specific to a "tainted arguments to a C function" attack, and the 2008 patch correctly resolved the 2008 test case involving uname? - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVt3TCAAoJEKllVAevmvms7UQH/j6ekzwPRPi2iDBKm1S5wpjt OSYiFZ7e72VxQqAcZS6O7jA4Rgt/2eZC6JUDmNAR+PrCqHm0QFxgRG7suvI/6SBL 5/FmC6SP/0ZEJ7pFdsjEqk0KfSXFTjZ2t4DeEojEIEJ7rNpimrUi8OfdVz3GzJFI 4DflBp2WJxlRQWTGOA1gCPemOoxH/GjtSiBGze6cB8WImCzm0v09vPZK5GYcGD2X 9FglRlV14T3/UQGa2tQwFhoEfJhhR24Exdau5CkKE0bnekBYSpDN+0LqxfuLeX9z oH9N7ZTZ+pcvNMUUE0HIyg0XawgRP0YuKFieea9FDxhiZbWOHcdxVv/P4YnQePg= =uFUY -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ