Bug#796344: CVE-2009-5147

[Petter Reinholdtsen]

[Moritz Mühlenhoff]
> Does that also include the regression fix from CVE-2015-7551?

No, it did not.  I had a look and pulled
https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
to fix this one.  I will include it too in the upload, just need to
check with the release managers first.

Should I commit the planned upload to the ruby2.1 git repository?  I
notice there already is a debian/jessie branch there.

-- 
Happy hacking
Petter Reinholdtsen

Bug#796344: CVE-2009-5147

[Christian Hofstaedtler]

* Petter Reinholdtsen  [160606 15:27]:
> Thank you very much!.  But the second fail with ruby2.1 today:
>   cve-2009-5147-fiddle-02.rb:18:in `call': tainted parameter not allowed 
> (SecurityError)
[..]

> How come?

Ah. Maybe that was my demonstration program of what should have
happened. Unfortunately I can't check what has been submitted to
upstream at that time.

Best,
-- 
 ,''`.  Christian Hofstaedtler 
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-



signature.asc
Description: PGP signature

Bug#796344: CVE-2009-5147

[Petter Reinholdtsen]

[Christian Hofstaedtler]
> I'm attaching two test programs that both raise a SecurityError on
> ruby2.2 in sid, but run through on ruby2.1 in jessie. They only
> cover two Fiddle cases, and no DL cases, though.

Thank you very much!.  But the second fail with ruby2.1 today:

  % for f in *; do echo $f; ruby $f; done
  cve-2009-5147-fiddle-01.rb
  "/lib/x86_64-linux-gnu/libm.so.6"
  "/lib/x86_64-linux-gnu/libm.so.6"
  3.0
  cve-2009-5147-fiddle-02.rb
  cve-2009-5147-fiddle-02.rb:18:in `call': tainted parameter not allowed 
(SecurityError)
  from cve-2009-5147-fiddle-02.rb:18:in `'
  %

How come?

-- 
Happy hacking
Petter Reinholdtsen

Bug#796344: CVE-2009-5147

[Petter Reinholdtsen]

Control: unarchive -1

[Christian Hofstaedtler 2016-01-03]
>> According to https://security-tracker.debian.org/tracker/CVE-2009-5147 
>> >,
>> this issue is fixed in squeeze but not wheezy and jessie.  Are anyone working
>> on a update to stable?
> 
> Sorry, even tough this should be easy to do, so far nobody has found
> the time to do it.

Right.  I got tired of seeing the output for this bug from debsecan, and
decided to try to get a fix in stable.  I got approval from the release
managers in bug #826348.

But I would love to figure out a way to verify that the fix really is working
before I upload.  Anyone got a clue to spare there?

-- 
Happy hacking
Petter Reinholdtsen

Bug#796344: CVE-2009-5147

[Christian Hofstaedtler]

* Petter Reinholdtsen  [160606 14:01]:
> But I would love to figure out a way to verify that the fix really is working
> before I upload.  Anyone got a clue to spare there?

I'm attaching two test programs that both raise a SecurityError on
ruby2.2 in sid, but run through on ruby2.1 in jessie. They only
cover two Fiddle cases, and no DL cases, though.

-- 
 ,''`.  Christian Hofstaedtler 
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

require 'fiddle'
$SAFE = 1

# '/usr/lib/libm.dylib'
s = '/lib/x86_64-linux-gnu/libm.so.6'
puts s.inspect
s = s.taint
puts s.inspect

libm = Fiddle.dlopen(s)
floor = Fiddle::Function.new(
libm['floor'],
  [Fiddle::TYPE_DOUBLE],
Fiddle::TYPE_DOUBLE
)

puts floor.call(3.14159) #=> 3.0


require 'fiddle'
libc = Fiddle.dlopen('/lib/x86_64-linux-gnu/libc.so.6')
puts = Fiddle::Function.new(
libc['puts'],
  [Fiddle::TYPE_VOIDP],
Fiddle::TYPE_INT
)

$SAFE = 1


s = 'foo'
s.taint

ptr = Fiddle::Pointer[s]

puts puts.call(ptr)



signature.asc
Description: PGP signature

Bug#796344: CVE-2009-5147

[Petter Reinholdtsen]

[Christian Hofstaedtler]
> In 2.1 branch, the fix is in this commit:
> 
> https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a

According to https://security-tracker.debian.org/tracker/CVE-2009-5147 >,
this issue is fixed in squeeze but not wheezy and jessie.  Are anyone working
on a update to stable?

I noticed this bug as it is the oldest CVE reported by debsecan on my stable
installations, and wondered why a CVE from 2009 was still not fixed in
Jessie.  Note, I see from the Redhat bug report that the problem was recently
reintroduced, so it have not been around for 6 years.

-- 
Happy hacking
Petter Reinholdtsen

Bug#796344: CVE-2009-5147

[Christian Hofstaedtler]

* Petter Reinholdtsen  [160102 10:30]:
> [Christian Hofstaedtler]
> > In 2.1 branch, the fix is in this commit:
> > 
> > https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
> 
> According to https://security-tracker.debian.org/tracker/CVE-2009-5147 
> >,
> this issue is fixed in squeeze but not wheezy and jessie.  Are anyone working
> on a update to stable?

Sorry, even tough this should be easy to do, so far nobody has found
the time to do it.

> I noticed this bug as it is the oldest CVE reported by debsecan on my stable
> installations, and wondered why a CVE from 2009 was still not fixed in
> Jessie.  Note, I see from the Redhat bug report that the problem was recently
> reintroduced, so it have not been around for 6 years.

Yup, for 2.x, this bug was indeed re-introduced at a later date.

Best,
-- 
 ,''`.  Christian Hofstaedtler 
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#796344: CVE-2009-5147

[Christian Hofstaedtler]

Control: retitle -1 CVE-2015-7551
Control: found -1 2.1.5-2+deb8u2

https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/

Bug#796344: CVE-2009-5147

[Christian Hofstaedtler]

In 2.1 branch, the fix is in this commit:

https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a

Bug#796344: CVE-2009-5147

[Moritz Muehlenhoff]

Package: ruby2.1
Version: 2.1.5-4
Severity: important
Tags: security

This has been assigned CVE-2009-5147:
http://seclists.org/oss-sec/2015/q3/222

Cheers,
Moritz