Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Jul 2015 08:27:24 -0400 (EDT)
From: cve-assign@...re.org
To: reed@...dloden.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We can assign an ID for one of these but we have a question about the other.

> * DL::dlopen could open a library with tainted library name even if
> $SAFE > 0
> https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b

Use CVE-2009-5147.


> * DL::Function#call could pass tainted arguments to a C function even if
> $SAFE > 0.
> https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65e

> These seem to be different issues than CVE-2008-3657.

Please clarify what research you have done to reach this conclusion
for the DL::Function#call issue. Finding information about
vulnerabilities with different dates does not always mean that
separate CVE IDs are used. For example, if a 2008 patch was
ineffective in the sense that it did not actually fix any aspect of a
CVE-2008-xxxx vulnerability, and then an effective patch and a new
advisory were produced in 2009, the previously assigned CVE-2008-xxxx
ID would continue to be used - there would not be a new CVE-2009-yyyy
ID.

The available information about CVE-2008-3657 includes the "Lack of
taintness check in dl" section of
https://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
with "dl doesn't check taintness ... This vulnerability was reported
by sheepman" and "Please upgrade to ... 1.8.7-p72." See the
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ archives.

Comparing ext/dl/sym.c between p71 and p72 shows a new
rb_check_safe_obj(pval) line in rb_dlsym_call.

Comparing ext/dl/dl.c between p71 and p72 shows new instances of
OBJ_INFECT, among other changes.

The 2009 commit mentions "Patch by sheepman" and a change to a .rb
file (no changes to any .c file).

Is the 2009 issue a new issue because it is specific to a "tainted
arguments to a C function" attack, and the 2008 patch correctly
resolved the 2008 test case involving uname?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVt3TCAAoJEKllVAevmvms7UQH/j6ekzwPRPi2iDBKm1S5wpjt
OSYiFZ7e72VxQqAcZS6O7jA4Rgt/2eZC6JUDmNAR+PrCqHm0QFxgRG7suvI/6SBL
5/FmC6SP/0ZEJ7pFdsjEqk0KfSXFTjZ2t4DeEojEIEJ7rNpimrUi8OfdVz3GzJFI
4DflBp2WJxlRQWTGOA1gCPemOoxH/GjtSiBGze6cB8WImCzm0v09vPZK5GYcGD2X
9FglRlV14T3/UQGa2tQwFhoEfJhhR24Exdau5CkKE0bnekBYSpDN+0LqxfuLeX9z
oH9N7ZTZ+pcvNMUUE0HIyg0XawgRP0YuKFieea9FDxhiZbWOHcdxVv/P4YnQePg=
=uFUY
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ