Bug 673750 (CVE-2011-1005) - VUL-0: CVE-2011-1005: ruby: Exception methods can bypass $SAFE
Summary: VUL-0: CVE-2011-1005: ruby: Exception methods can bypass $SAFE
Status: RESOLVED FIXED
Alias: CVE-2011-1005
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2011-03-01
Assignee: Marcus Rückert
QA Contact: Security Team bot
URL:
Whiteboard: . maint:released:11.3:41043 maint:rel...
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-21 11:35 UTC by Thomas Biege
Modified: 2016-08-09 20:25 UTC (History)
5 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
test case for the bug. (228 bytes, application/octet-stream)
2011-03-04 15:12 UTC, Marcus Rückert 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2011-02-21 11:35:18 UTC 
Hi.
There is a security bug in package 'rubygem-rails'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/


Original posting:


@assigned = mrueckert@novell.com

http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/

Exception#to_s method can be used to trick $SAFE check, which makes a untrusted codes to modify arbitrary strings.
Comment 1 Thomas Biege 2011-02-22 10:07:01 UTC 
CVE-2011-1005
Comment 2 Thomas Biege 2011-02-22 11:00:45 UTC 
CVE-2011-1005: CVSS v2 Base Score: 4.3 (low) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Comment 3 Swamp Workflow Management 2011-02-22 17:17:47 UTC 
The SWAMPID for this issue is 38896.
This issue was rated as important.
Please submit fixed packages until 2011-03-01.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 4 Marcus Rückert 2011-03-04 15:12:51 UTC 
Created attachment 417599 [details]
test case for the bug.

with the fix working, you should get

[[[
$ ruby test-exception-taint.rb 
test-exception-taint.rb:8:in `replace': Insecure: can't modify string
(SecurityError)
        from test-exception-taint.rb:8
        from test-exception-taint.rb:5:in `call'
        from test-exception-taint.rb:5
]]]

without the fix you will see your /etc/passwd
Comment 5 Swamp Workflow Management 2011-05-30 11:53:56 UTC 
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk, ruby-tk-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
Comment 6 Swamp Workflow Management 2011-05-30 15:59:34 UTC 
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SLMS 1.1 (x86_64)
SLE-STUDIOONSITE 1.1 (x86_64)
SLE-WEBYAST 1.0-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-WEBYAST 1.1 (i386, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 7 Bernhard Wiedemann 2011-05-31 07:00:42 UTC 
This is an autogenerated message for OBS integration:
This bug (673750) was mentioned in
https://build.opensuse.org/request/show/72199 Evergreen:11.2 / ruby
Comment 8 Dirk Mueller 2011-07-18 18:19:51 UTC 
Can this now be closed?
Comment 10 Sebastian Krahmer 2011-07-19 07:48:54 UTC 
done
Comment 11 Matthias Weckbecker 2012-10-08 14:35:30 UTC 
Additional issues (CVE 2012-4464 and CVE 2012-4466) revealed that the original
fix for addressing this issue has been incomplete. Therefore, we have a fourth
assigned: CVE-2012-4481.

Detailed explanation by Jan Lieskovsky of Red Hat available on oss [1].

[1] http://www.openwall.com/lists/oss-security/2012/10/05/2
Comment 12 Marcus Rückert 2012-10-26 14:16:56 UTC 
the new issues are tracked in different bugs.