Bug#689075: CVE-2011-1005: safe level bypass
Package: ruby1.9.1 Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/689075/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689075: CVE-2011-1005: safe level bypass
On 2012-10-01 11:04:30, Tyler Hicks wrote: I'll be sure to update this bug when they've applied the fix upstream. Ok, the fix is public: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revisionrevision=37068 It ended up being more complicated than I initially thought. The vulnerability described in CVE-2011-1005 was reintroduced into the Ruby codebase in 1.9.3-p0. When upstream was developing their fix they found a new, but similar, issue that goes back to ruby1.8. My request for new CVE ids and a slightly more detailed explanation can be found here: http://www.openwall.com/lists/oss-security/2012/10/02/4 Tyler signature.asc Description: Digital signature
Bug#689075: CVE-2011-1005: safe level bypass
On 2012-09-30 17:47:30, Antonio Terceiro wrote: Thanks for submitting this. Did you notify upstream of the fact that the 1.9 series is actually affected by this issue? Yes, right after I filed this bug. After speaking with upstream, they will be applying a slightly different fix. You probably want to wait until their fix is public. I'll be sure to update this bug when they've applied the fix upstream. signature.asc Description: Digital signature
Bug#689075: CVE-2011-1005: safe level bypass
tag 689075 + pending thanks Hello Tyler, Tyler Hicks escreveu: Package: ruby1.9.1 Version: 1.9.3.194-1 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu quantal ubuntu-patch Dear Maintainer, While running some regression tests I discovered that 1.9.3.194-1 is vulnerable to CVE-2011-1005, despite the Ruby advisory stating otherwise: http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/ You can use the reproducer in the advisory for verification. Just do a 'puts $secret_path' rather than the 'open($secret_path)' block. In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: Safe level bypass - debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string taint in exception handling methods. Based on upstream patch. - CVE-2011-1005 Thanks for submitting this. Did you notify upstream of the fact that the 1.9 series is actually affected by this issue? -- Antonio Terceiro terce...@debian.org signature.asc Description: Digital signature
Bug#689075: CVE-2011-1005: safe level bypass
Package: ruby1.9.1 Version: 1.9.3.194-1 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu quantal ubuntu-patch Dear Maintainer, While running some regression tests I discovered that 1.9.3.194-1 is vulnerable to CVE-2011-1005, despite the Ruby advisory stating otherwise: http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/ You can use the reproducer in the advisory for verification. Just do a 'puts $secret_path' rather than the 'open($secret_path)' block. In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: Safe level bypass - debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string taint in exception handling methods. Based on upstream patch. - CVE-2011-1005 Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers quantal-updates APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.5.0-15-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog diff -Nru ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch --- ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch 1969-12-31 16:00:00.0 -0800 +++ ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch 2012-09-28 00:09:06.0 -0700 @@ -0,0 +1,60 @@ +Description: Prevent untainted strings from being incorrectly tainted + This flaw allowed untainted strings to be tainted and modified, even in + safe level 4. +Origin: backport, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?revision=30903view=revision +Index: ruby1.9.1-1.9.3.194/error.c +=== +--- ruby1.9.1-1.9.3.194.orig/error.c 2012-02-25 04:32:19.0 -0800 ruby1.9.1-1.9.3.194/error.c 2012-09-26 10:10:15.164576749 -0700 +@@ -569,7 +569,6 @@ + + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); + r = rb_String(mesg); +-OBJ_INFECT(r, exc); + return r; + } + +@@ -854,10 +853,9 @@ + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); + StringValue(str); + if (str != mesg) { +- rb_iv_set(exc, mesg, mesg = str); ++ OBJ_INFECT(str, mesg); + } +-OBJ_INFECT(mesg, exc); +-return mesg; ++return str; + } + + /* +Index: ruby1.9.1-1.9.3.194/test/ruby/test_exception.rb +=== +--- ruby1.9.1-1.9.3.194.orig/test/ruby/test_exception.rb 2012-02-07 16:44:05.0 -0800 ruby1.9.1-1.9.3.194/test/ruby/test_exception.rb 2012-09-26 10:10:15.164576749 -0700 +@@ -333,4 +333,26 @@ + load(t.path) + end + end ++ ++ def test_to_s_taintness_propagation ++for exc in [Exception, NameError] ++ m = abcdefg ++ e = exc.new(m) ++ e.taint ++ s = e.to_s ++ assert_equal(false, m.tainted?, ++ #{exc}#to_s should not propagate taintness) ++ assert_equal(false, s.tainted?, ++ #{exc}#to_s should not propagate taintness) ++end ++ ++o = Object.new ++def o.to_str ++ foo ++end ++o.taint ++e = NameError.new(o) ++s = e.to_s ++assert_equal(true, s.tainted?) ++ end + end diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series --- ruby1.9.1-1.9.3.194/debian/patches/series 2012-05-27 15:46:34.0 -0700 +++ ruby1.9.1-1.9.3.194/debian/patches/series 2012-09-28 00:32:14.0 -0700 @@ -16,3 +16,4 @@ 110829-hurd_dirent_usage.patch hurd-path-max.diff 20120517-r35434.patch +20120927-cve_2011_1005.patch