Bug#796344: CVE-2009-5147
[Moritz Mühlenhoff] > Does that also include the regression fix from CVE-2015-7551? No, it did not. I had a look and pulled https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a to fix this one. I will include it too in the upload, just need to check with the release managers first. Should I commit the planned upload to the ruby2.1 git repository? I notice there already is a debian/jessie branch there. -- Happy hacking Petter Reinholdtsen
Bug#796344: CVE-2009-5147
* Petter Reinholdtsen[160606 15:27]: > Thank you very much!. But the second fail with ruby2.1 today: > cve-2009-5147-fiddle-02.rb:18:in `call': tainted parameter not allowed > (SecurityError) [..] > How come? Ah. Maybe that was my demonstration program of what should have happened. Unfortunately I can't check what has been submitted to upstream at that time. Best, -- ,''`. Christian Hofstaedtler : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `- signature.asc Description: PGP signature
Bug#796344: CVE-2009-5147
[Christian Hofstaedtler] > I'm attaching two test programs that both raise a SecurityError on > ruby2.2 in sid, but run through on ruby2.1 in jessie. They only > cover two Fiddle cases, and no DL cases, though. Thank you very much!. But the second fail with ruby2.1 today: % for f in *; do echo $f; ruby $f; done cve-2009-5147-fiddle-01.rb "/lib/x86_64-linux-gnu/libm.so.6" "/lib/x86_64-linux-gnu/libm.so.6" 3.0 cve-2009-5147-fiddle-02.rb cve-2009-5147-fiddle-02.rb:18:in `call': tainted parameter not allowed (SecurityError) from cve-2009-5147-fiddle-02.rb:18:in `' % How come? -- Happy hacking Petter Reinholdtsen
Bug#796344: CVE-2009-5147
Control: unarchive -1 [Christian Hofstaedtler 2016-01-03] >> According to https://security-tracker.debian.org/tracker/CVE-2009-5147 >> >, >> this issue is fixed in squeeze but not wheezy and jessie. Are anyone working >> on a update to stable? > > Sorry, even tough this should be easy to do, so far nobody has found > the time to do it. Right. I got tired of seeing the output for this bug from debsecan, and decided to try to get a fix in stable. I got approval from the release managers in bug #826348. But I would love to figure out a way to verify that the fix really is working before I upload. Anyone got a clue to spare there? -- Happy hacking Petter Reinholdtsen
Bug#796344: CVE-2009-5147
* Petter Reinholdtsen[160606 14:01]: > But I would love to figure out a way to verify that the fix really is working > before I upload. Anyone got a clue to spare there? I'm attaching two test programs that both raise a SecurityError on ruby2.2 in sid, but run through on ruby2.1 in jessie. They only cover two Fiddle cases, and no DL cases, though. -- ,''`. Christian Hofstaedtler : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `- require 'fiddle' $SAFE = 1 # '/usr/lib/libm.dylib' s = '/lib/x86_64-linux-gnu/libm.so.6' puts s.inspect s = s.taint puts s.inspect libm = Fiddle.dlopen(s) floor = Fiddle::Function.new( libm['floor'], [Fiddle::TYPE_DOUBLE], Fiddle::TYPE_DOUBLE ) puts floor.call(3.14159) #=> 3.0 require 'fiddle' libc = Fiddle.dlopen('/lib/x86_64-linux-gnu/libc.so.6') puts = Fiddle::Function.new( libc['puts'], [Fiddle::TYPE_VOIDP], Fiddle::TYPE_INT ) $SAFE = 1 s = 'foo' s.taint ptr = Fiddle::Pointer[s] puts puts.call(ptr) signature.asc Description: PGP signature
Bug#796344: CVE-2009-5147
[Christian Hofstaedtler] > In 2.1 branch, the fix is in this commit: > > https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a According to https://security-tracker.debian.org/tracker/CVE-2009-5147 >, this issue is fixed in squeeze but not wheezy and jessie. Are anyone working on a update to stable? I noticed this bug as it is the oldest CVE reported by debsecan on my stable installations, and wondered why a CVE from 2009 was still not fixed in Jessie. Note, I see from the Redhat bug report that the problem was recently reintroduced, so it have not been around for 6 years. -- Happy hacking Petter Reinholdtsen
Bug#796344: CVE-2009-5147
* Petter Reinholdtsen[160102 10:30]: > [Christian Hofstaedtler] > > In 2.1 branch, the fix is in this commit: > > > > https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a > > According to https://security-tracker.debian.org/tracker/CVE-2009-5147 > >, > this issue is fixed in squeeze but not wheezy and jessie. Are anyone working > on a update to stable? Sorry, even tough this should be easy to do, so far nobody has found the time to do it. > I noticed this bug as it is the oldest CVE reported by debsecan on my stable > installations, and wondered why a CVE from 2009 was still not fixed in > Jessie. Note, I see from the Redhat bug report that the problem was recently > reintroduced, so it have not been around for 6 years. Yup, for 2.x, this bug was indeed re-introduced at a later date. Best, -- ,''`. Christian Hofstaedtler : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `-
Bug#796344: CVE-2009-5147
Control: retitle -1 CVE-2015-7551 Control: found -1 2.1.5-2+deb8u2 https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
Bug#796344: CVE-2009-5147
In 2.1 branch, the fix is in this commit: https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
Bug#796344: CVE-2009-5147
Package: ruby2.1 Version: 2.1.5-4 Severity: important Tags: security This has been assigned CVE-2009-5147: http://seclists.org/oss-sec/2015/q3/222 Cheers, Moritz