Bug#689075: CVE-2011-1005: safe level bypass

2013-01-17 Thread Jonathan Wiltshire 
Package: ruby1.9.1

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.7) - use target stable

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-rele...@lists.debian.org
1: http://prsc.debian.net/tracker/689075/
2: 201101232332.11736.th...@debian.org
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#689075: CVE-2011-1005: safe level bypass

2012-10-03 Thread Tyler Hicks 
On 2012-10-01 11:04:30, Tyler Hicks wrote:
 I'll be sure to update this bug when they've applied the fix upstream.

Ok, the fix is public:

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revisionrevision=37068

It ended up being more complicated than I initially thought. The
vulnerability described in CVE-2011-1005 was reintroduced into the Ruby
codebase in 1.9.3-p0.

When upstream was developing their fix they found a new, but similar,
issue that goes back to ruby1.8. My request for new CVE ids and a
slightly more detailed explanation can be found here:

http://www.openwall.com/lists/oss-security/2012/10/02/4

Tyler


signature.asc
Description: Digital signature

Bug#689075: CVE-2011-1005: safe level bypass

2012-10-01 Thread Tyler Hicks 
On 2012-09-30 17:47:30, Antonio Terceiro wrote:
 Thanks for submitting this. Did you notify upstream of the fact that the
 1.9 series is actually affected by this issue?

Yes, right after I filed this bug. After speaking with upstream, they
will be applying a slightly different fix. You probably want to wait
until their fix is public. I'll be sure to update this bug when they've
applied the fix upstream.


signature.asc
Description: Digital signature

Bug#689075: CVE-2011-1005: safe level bypass

2012-09-30 Thread Antonio Terceiro 
tag 689075 + pending
thanks

Hello Tyler,

Tyler Hicks escreveu:
 Package: ruby1.9.1
 Version: 1.9.3.194-1
 Severity: grave
 Tags: patch security
 Justification: user security hole
 User: ubuntu-de...@lists.ubuntu.com
 Usertags: origin-ubuntu quantal ubuntu-patch
 
 Dear Maintainer,
 
 While running some regression tests I discovered that 1.9.3.194-1 is
 vulnerable to CVE-2011-1005, despite the Ruby advisory stating
 otherwise:
 
 http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
 
 You can use the reproducer in the advisory for verification. Just do a
 'puts $secret_path' rather than the 'open($secret_path)' block.
 
 In Ubuntu, the attached patch was applied to achieve the following:
 
   * SECURITY UPDATE: Safe level bypass
 - debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string
   taint in exception handling methods. Based on upstream patch.
 - CVE-2011-1005

Thanks for submitting this. Did you notify upstream of the fact that the
1.9 series is actually affected by this issue?

-- 
Antonio Terceiro terce...@debian.org


signature.asc
Description: Digital signature

Bug#689075: CVE-2011-1005: safe level bypass

2012-09-28 Thread Tyler Hicks 
Package: ruby1.9.1
Version: 1.9.3.194-1
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

Dear Maintainer,

While running some regression tests I discovered that 1.9.3.194-1 is
vulnerable to CVE-2011-1005, despite the Ruby advisory stating
otherwise:

http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/

You can use the reproducer in the advisory for verification. Just do a
'puts $secret_path' rather than the 'open($secret_path)' block.

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: Safe level bypass
- debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string
  taint in exception handling methods. Based on upstream patch.
- CVE-2011-1005


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers quantal-updates
  APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 
'quantal')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch
--- ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch	1969-12-31 16:00:00.0 -0800
+++ ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch	2012-09-28 00:09:06.0 -0700
@@ -0,0 +1,60 @@
+Description: Prevent untainted strings from being incorrectly tainted
+ This flaw allowed untainted strings to be tainted and modified, even in
+ safe level 4.
+Origin: backport, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?revision=30903view=revision
+Index: ruby1.9.1-1.9.3.194/error.c
+===
+--- ruby1.9.1-1.9.3.194.orig/error.c	2012-02-25 04:32:19.0 -0800
 ruby1.9.1-1.9.3.194/error.c	2012-09-26 10:10:15.164576749 -0700
+@@ -569,7 +569,6 @@
+ 
+ if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
+ r = rb_String(mesg);
+-OBJ_INFECT(r, exc);
+ return r;
+ }
+ 
+@@ -854,10 +853,9 @@
+ if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
+ StringValue(str);
+ if (str != mesg) {
+-	rb_iv_set(exc, mesg, mesg = str);
++	OBJ_INFECT(str, mesg);
+ }
+-OBJ_INFECT(mesg, exc);
+-return mesg;
++return str;
+ }
+ 
+ /*
+Index: ruby1.9.1-1.9.3.194/test/ruby/test_exception.rb
+===
+--- ruby1.9.1-1.9.3.194.orig/test/ruby/test_exception.rb	2012-02-07 16:44:05.0 -0800
 ruby1.9.1-1.9.3.194/test/ruby/test_exception.rb	2012-09-26 10:10:15.164576749 -0700
+@@ -333,4 +333,26 @@
+   load(t.path)
+ end
+   end
++
++  def test_to_s_taintness_propagation
++for exc in [Exception, NameError]
++  m = abcdefg
++  e = exc.new(m)
++  e.taint
++  s = e.to_s
++  assert_equal(false, m.tainted?,
++   #{exc}#to_s should not propagate taintness)
++  assert_equal(false, s.tainted?,
++   #{exc}#to_s should not propagate taintness)
++end
++
++o = Object.new
++def o.to_str
++  foo
++end
++o.taint
++e = NameError.new(o)
++s = e.to_s
++assert_equal(true, s.tainted?)
++  end
+ end
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series
--- ruby1.9.1-1.9.3.194/debian/patches/series	2012-05-27 15:46:34.0 -0700
+++ ruby1.9.1-1.9.3.194/debian/patches/series	2012-09-28 00:32:14.0 -0700
@@ -16,3 +16,4 @@
 110829-hurd_dirent_usage.patch
 hurd-path-max.diff
 20120517-r35434.patch
+20120927-cve_2011_1005.patch