Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Oct 2012 13:30:56 -0700
From: Tyler Hicks <tyhicks@...onical.com>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com, coley@...us.mitre.org,
	security@...ntu.com, security@...y-lang.org
Subject: Re: CVE Request: Ruby safe level bypasses

On 2012-10-03 13:48:14, Kurt Seifried wrote:
> On 10/02/2012 04:32 PM, Tyler Hicks wrote:
> > Hello - Upstream Ruby has fixed[1] exception methods that
> > incorrectly allowed safe level bypasses. These bypasses allowed
> > untainted strings to be modified by untrusted code in safe level
> > 4.
> > 
> > Note that the changes to exc_to_s() and name_err_to_s(), in
> > error.c, are similar to the fix for CVE-2011-1005, but the Ruby
> > advisory[2] made it clear that Ruby 1.9.x was not affected by
> > CVE-2011-1005. It turns out that the vulnerability was later
> > reintroduced to Ruby's trunk in revision 29456. Ruby 1.9.3-p0 and
> > later is affected.
> > 
> > While Shugo Maeda was fixing the issue above, he noticed that 
> > name_err_mesg_to_str() had a similar flaw. Ruby 1.8.x, along with 
> > 1.9.3-p0 and later is affected.
> > 
> > I believe that these issues need two separate CVEs. Both issues
> > are fixed in the same upstream patch[1]. Could you please allocate
> > ids?
> > 
> > Thanks, Tyler
> > 
> > [1]
> > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
> >
> > 
> [2]
> http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
> > 
> 
> Please use CVE-2012-4464 for this issue.

Hi Kurt - I think that two CVE ids are needed here.

All issues are fixed in the same upstream patch but some issues in that
patch affect different versions. I'll use the notation from "CVE
Abstraction Content Decisions: Rationale and Application" to describe
how I see it:

S1: The vulnerability found in exc_to_s()
S2: The vulnerability found in name_err_to_s()
S3: The vulnerability found in name_err_mesg_to_str()

S1, S2 and S3 are the same type of bug. S1 and S2 appear in the same
versions (1.9.3-p0 and newer), so MERGE them. S3 appears in 1.8.x, as
well as 1.9.3-p0 and newer, so SPLIT it from S1 and S2.

Tyler

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.