Package: ruby1.9.1 Version: 1.9.3.194-1 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu quantal ubuntu-patch
Dear Maintainer, While running some regression tests I discovered that 1.9.3.194-1 is vulnerable to CVE-2011-1005, despite the Ruby advisory stating otherwise: http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/ You can use the reproducer in the advisory for verification. Just do a 'puts $secret_path' rather than the 'open($secret_path)' block. In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: Safe level bypass - debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string taint in exception handling methods. Based on upstream patch. - CVE-2011-1005 Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers quantal-updates APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.5.0-15-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog diff -Nru ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch --- ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch 1969-12-31 16:00:00.000000000 -0800 +++ ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch 2012-09-28 00:09:06.000000000 -0700 @@ -0,0 +1,60 @@ +Description: Prevent untainted strings from being incorrectly tainted + This flaw allowed untainted strings to be tainted and modified, even in + safe level 4. +Origin: backport, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?revision=30903&view=revision +Index: ruby1.9.1-1.9.3.194/error.c +=================================================================== +--- ruby1.9.1-1.9.3.194.orig/error.c 2012-02-25 04:32:19.000000000 -0800 ++++ ruby1.9.1-1.9.3.194/error.c 2012-09-26 10:10:15.164576749 -0700 +@@ -569,7 +569,6 @@ + + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); + r = rb_String(mesg); +- OBJ_INFECT(r, exc); + return r; + } + +@@ -854,10 +853,9 @@ + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); + StringValue(str); + if (str != mesg) { +- rb_iv_set(exc, "mesg", mesg = str); ++ OBJ_INFECT(str, mesg); + } +- OBJ_INFECT(mesg, exc); +- return mesg; ++ return str; + } + + /* +Index: ruby1.9.1-1.9.3.194/test/ruby/test_exception.rb +=================================================================== +--- ruby1.9.1-1.9.3.194.orig/test/ruby/test_exception.rb 2012-02-07 16:44:05.000000000 -0800 ++++ ruby1.9.1-1.9.3.194/test/ruby/test_exception.rb 2012-09-26 10:10:15.164576749 -0700 +@@ -333,4 +333,26 @@ + load(t.path) + end + end ++ ++ def test_to_s_taintness_propagation ++ for exc in [Exception, NameError] ++ m = "abcdefg" ++ e = exc.new(m) ++ e.taint ++ s = e.to_s ++ assert_equal(false, m.tainted?, ++ "#{exc}#to_s should not propagate taintness") ++ assert_equal(false, s.tainted?, ++ "#{exc}#to_s should not propagate taintness") ++ end ++ ++ o = Object.new ++ def o.to_str ++ "foo" ++ end ++ o.taint ++ e = NameError.new(o) ++ s = e.to_s ++ assert_equal(true, s.tainted?) ++ end + end diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series --- ruby1.9.1-1.9.3.194/debian/patches/series 2012-05-27 15:46:34.000000000 -0700 +++ ruby1.9.1-1.9.3.194/debian/patches/series 2012-09-28 00:32:14.000000000 -0700 @@ -16,3 +16,4 @@ 110829-hurd_dirent_usage.patch hurd-path-max.diff 20120517-r35434.patch +20120927-cve_2011_1005.patch
