Bugzilla – Bug 843686
VUL-1: CVE-2013-2065: ruby19: Ruby: Object taint bypassing in DL and Fiddle
Last modified: 2013-11-27 09:13:45 UTC
via rh bugzilla CVE-2013-2065 Aaron Patterson (tenderlove@ruby-lang.org) reports: Object taint bypassing in DL and Fiddle in Ruby There is a vulnerability in DL and Fiddle in Ruby where tainted strings can be used by system calls regardless of the $SAFE level set in Ruby. This vulnerability has been assigned the CVE identifier CVE-2013-2065. Versions Affected: 1.9.3-pX, 2.0.0-p0 Not affected: 1.8.X Fixed Versions: 1.9.3-pX, 2.0.0-pX Impact ------ Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in tainted objects being accepted as input when a SecurityError exception should be raised. Impacted DL code will look something like this: def my_function(user_input) handle = DL.dlopen(nil) sys_cfunc = DL::CFunc.new(handle['system'], DL::TYPE_INT, 'system') sys = DL::Function.new(sys_cfunc, [DL::TYPE_VOIDP]) sys.call user_input end $SAFE = 1 my_function "uname -rs".taint Impacted Fiddle code will look something like this: def my_function(user_input) handle = DL.dlopen(nil) sys = Fiddle::Function.new(handle['system'], [Fiddle::TYPE_VOIDP], Fiddle::TYPE_INT) sys.call user_input end $SAFE = 1 my_function "uname -rs".taint All users running an affected release should either upgrade or use one of the work arounds immediately. Note that this *does not* prevent numeric memory offsets from being used as pointer values. Numbers cannot be tainted, so code passing a numeric memory offset cannot be checked. For example: def my_function(input) handle = DL.dlopen(nil) sys = Fiddle::Function.new(handle['system'], [Fiddle::TYPE_VOIDP], Fiddle::TYPE_INT) sys.call input end $SAFE = 1 user_input = "uname -rs".taint my_function DL::CPtr[user_input].to_i In this case, the memory location is passed, and taintedness of the object cannot be determined by DL / Fiddle. In this case, please check the tainting of the user input before passing the memory location: user_input = "uname -rs".taint raise if $SAFE >= 1 && user_input.tainted? my_function DL::CPtr[user_input].to_i Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- This monkey patch can be used as a workaround: class Fiddle::Function alias :old_call :call def call(*args) if $SAFE >= 1 && args.any? { |x| x.tainted? } raise SecurityError, "tainted parameter not allowed" end old_call(*args) end end Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 1-9-fiddle-tainting.patch - Patch for 1.9 series * 2-0-fiddle-tainting.patch - Patch for 2.0 series References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2065 https://bugzilla.redhat.com/show_bug.cgi?id=962035
bugbot adjusting priority
The SWAMPID for this issue is 54669. This issue was rated as moderate. Please submit fixed packages until 2013-10-18. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
https://build.suse.de/request/show/28994
This is an autogenerated message for OBS integration: This bug (843686) was mentioned in https://build.opensuse.org/request/show/204130 12.2 / ruby19 https://build.opensuse.org/request/show/204131 12.3 / ruby19
openSUSE-SU-2013:1611-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 837457,843686 CVE References: CVE-2013-2065,CVE-2013-4287,CVE-2013-4363 Sources used: openSUSE 12.3 (src): ruby19-1.9.3.p392-1.13.1 openSUSE 12.2 (src): ruby19-1.9.3.p392-3.30.1
Update released for: ruby19, ruby19-debuginfo, ruby19-debugsource, ruby19-devel, ruby19-devel-extra, ruby19-doc-ri, ruby19-tk Products: SLE-STUDIOONSITE 1.3 (x86_64)
was released