Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Jul 2015 08:27:24 -0400 (EDT)
Subject: Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129

Hash: SHA1

We can assign an ID for one of these but we have a question about the other.

> * DL::dlopen could open a library with tainted library name even if
> $SAFE > 0

Use CVE-2009-5147.

> * DL::Function#call could pass tainted arguments to a C function even if
> $SAFE > 0.

> These seem to be different issues than CVE-2008-3657.

Please clarify what research you have done to reach this conclusion
for the DL::Function#call issue. Finding information about
vulnerabilities with different dates does not always mean that
separate CVE IDs are used. For example, if a 2008 patch was
ineffective in the sense that it did not actually fix any aspect of a
CVE-2008-xxxx vulnerability, and then an effective patch and a new
advisory were produced in 2009, the previously assigned CVE-2008-xxxx
ID would continue to be used - there would not be a new CVE-2009-yyyy

The available information about CVE-2008-3657 includes the "Lack of
taintness check in dl" section of
with "dl doesn't check taintness ... This vulnerability was reported
by sheepman" and "Please upgrade to ... 1.8.7-p72." See the archives.

Comparing ext/dl/sym.c between p71 and p72 shows a new
rb_check_safe_obj(pval) line in rb_dlsym_call.

Comparing ext/dl/dl.c between p71 and p72 shows new instances of
OBJ_INFECT, among other changes.

The 2009 commit mentions "Patch by sheepman" and a change to a .rb
file (no changes to any .c file).

Is the 2009 issue a new issue because it is specific to a "tainted
arguments to a C function" attack, and the 2008 patch correctly
resolved the 2008 test case involving uname?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.