Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Jul 2015 08:27:24 -0400 (EDT)
Subject: Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129

Hash: SHA1

We can assign an ID for one of these but we have a question about the other.

> * DL::dlopen could open a library with tainted library name even if
> $SAFE > 0

Use CVE-2009-5147.

> * DL::Function#call could pass tainted arguments to a C function even if
> $SAFE > 0.

> These seem to be different issues than CVE-2008-3657.

Please clarify what research you have done to reach this conclusion
for the DL::Function#call issue. Finding information about
vulnerabilities with different dates does not always mean that
separate CVE IDs are used. For example, if a 2008 patch was
ineffective in the sense that it did not actually fix any aspect of a
CVE-2008-xxxx vulnerability, and then an effective patch and a new
advisory were produced in 2009, the previously assigned CVE-2008-xxxx
ID would continue to be used - there would not be a new CVE-2009-yyyy

The available information about CVE-2008-3657 includes the "Lack of
taintness check in dl" section of
with "dl doesn't check taintness ... This vulnerability was reported
by sheepman" and "Please upgrade to ... 1.8.7-p72." See the archives.

Comparing ext/dl/sym.c between p71 and p72 shows a new
rb_check_safe_obj(pval) line in rb_dlsym_call.

Comparing ext/dl/dl.c between p71 and p72 shows new instances of
OBJ_INFECT, among other changes.

The 2009 commit mentions "Patch by sheepman" and a change to a .rb
file (no changes to any .c file).

Is the 2009 issue a new issue because it is specific to a "tainted
arguments to a C function" attack, and the 2008 patch correctly
resolved the 2008 test case involving uname?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ