Bug#378029: marked as done (ruby1.8: CVE-2006-3694, JVN#13947696, JVN#83768862: safety check bypass)

Debian Bug Tracking System Sat, 28 Oct 2006 09:21:59 -0700

Your message dated Sat, 28 Oct 2006 08:27:13 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#378029: fixed in ruby1.8 1.8.2-7sarge4
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: ruby1.8
Version: 1.8.2-7sarge2
Severity: grave
Tags: security patch
Justification: user security hole


Japan Vender Status Notes (JVN) announced two vulnerabilities for Ruby.

JVN#13947696:

Some methods have defects that they can call other methods, which
really should be prohibited, in safe level 4.

* Information:
  * http://jvn.jp/jp/JVN%2313947696/index.html (in Japanese)
  * http://www.ipa.go.jp/security/vuln/documents/2006/JVN_13947696_Ruby.html 
(in Japanese)
* Affected versions: All versions and snapshots before Ruby 1.8.4-20060516.

JVN#83768862:

Alias features cannot handle safe levels correclty, so it can be safety
bypass.

* Information:
  * http://jvn.jp/jp/JVN%2383768862/index.html (in Japanese)
  * http://www.ipa.go.jp/security/vuln/documents/2006/JVN_13947696_Ruby.html 
(in Japanese)
* Affected versions: All versions and snapshots before Ruby 1.8.4-20060516.

Since currently the upstream does not plan to release patches,
I've created ones to fix them.  I wish they works, but I have no
confidence (especially for JVN#13947696) and would like to have them reviewed.

alias_safe_level.patch:
  May fix JVN#83768862, based on "eval.c (rb_call0)" part and
  "eval.c (rb_alias)" part for
  http://www.atdot.net/~ko1/w3ml/w3ml.cgi/ruby-cvs/msg/16613
  (and 
http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/eval.c?cvsroot=src&r1=1.616.2.166&r2=1.616.2.167
 ).

avoid_modifying_untainted_objects.patch:
  May fix JVN#13947696, based on "re.c (rb_reg_initialize)" part for
  http://www.atdot.net/~ko1/w3ml/w3ml.cgi/ruby-cvs/msg/16723
  (and 
http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/re.c?cvsroot=src&r1=1.114.2.17&r2=1.114.2.18
 ).

avoid_modifying_untainted_objects_2.patch:
  May fix JVN#13947696, based on
  http://www.atdot.net/~ko1/w3ml/w3ml.cgi/ruby-cvs/msg/16724
  (and 
http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/dir.c?cvsroot=src&r1=1.92.2.32&r2=1.92.2.33
 ).


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-3-686
Locale: LANG=ja_JP.eucJP, LC_CTYPE=ja_JP.eucJP (charmap=EUC-JP)

Versions of packages ruby1.8 depends on:
ii  libc6                 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an
ii  libruby1.8            1.8.2-7sarge2      Libraries necessary to run Ruby 1.

-- no debconf information

--- eval.c.orig Thu Jul 13 01:48:12 2006
+++ eval.c      Thu Jul 13 01:49:37 2006
@@ -2050,7 +2050,8 @@
        }
     }
     st_insert(RCLASS(klass)->m_tbl, name,
-      (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin), orig->nd_noex));
+             (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin),
+                                   NOEX_WITH_SAFE(orig->nd_noex)));
     if (singleton) {
        rb_funcall(singleton, singleton_added, 1, ID2SYM(name));
     }
@@ -5561,6 +5562,11 @@
     TMP_PROTECT;
     volatile int safe = -1;
 
+    if (NOEX_SAFE(flags) > ruby_safe_level &&
+       !(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) {
+       rb_raise(rb_eSecurityError, "calling insecure method: %s",
+                rb_id2name(id));
+    }
     switch (ruby_iter->iter) {
       case ITER_PRE:
        itr = ITER_CUR;
@@ -5664,10 +5670,6 @@
            b2 = body = body->nd_next;
 
            if (NOEX_SAFE(flags) > ruby_safe_level) {
-               if (!(flags&NOEX_TAINTED) && ruby_safe_level == 0 && 
NOEX_SAFE(flags) > 2) {
-                   rb_raise(rb_eSecurityError, "calling insecure method: %s",
-                            rb_id2name(id));
-               }
                safe = ruby_safe_level;
                ruby_safe_level = NOEX_SAFE(flags);
            }

--- re.c.orig	Thu Jul 13 01:48:12 2006
+++ re.c	Thu Jul 13 01:49:45 2006
@@ -1330,6 +1330,8 @@
 {
     struct RRegexp *re = RREGEXP(obj);
 
+    if (!OBJ_TAINTED(obj) && rb_safe_level() >= 4)
+	rb_raise(rb_eSecurityError, "Insecure: can't modify regexp");
     if (re->ptr) re_free_pattern(re->ptr);
     if (re->str) free(re->str);
     re->ptr = 0;

--- dir.c.orig	Thu Jul 13 01:48:12 2006
+++ dir.c	Thu Jul 13 01:49:53 2006
@@ -325,7 +325,17 @@
     rb_raise(rb_eIOError, "closed directory");
 }
 
+static void
+dir_check(dir)
+    VALUE dir;
+{
+    if (!OBJ_TAINTED(dir) && rb_safe_level() >= 4)
+	rb_raise(rb_eSecurityError, "Insecure: operation on untainted Dir");
+    rb_check_frozen(dir);
+}
+
 #define GetDIR(obj, dirp) do {\
+    dir_check(dir);\
     Data_Get_Struct(obj, struct dir_data, dirp);\
     if (dirp->dir == NULL) dir_closed();\
 } while (0)
@@ -535,6 +545,9 @@
 {
     struct dir_data *dirp;
 
+    if (rb_safe_level() >= 4 && !OBJ_TAINTED(dir)) {
+	rb_raise(rb_eSecurityError, "Insecure: can't close");
+    }
     GetDIR(dir, dirp);
     closedir(dirp->dir);
     dirp->dir = NULL;

--- End Message ---

--- Begin Message ---

Source: ruby1.8
Source-Version: 1.8.2-7sarge4

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:

irb1.8_1.8.2-7sarge4_all.deb
  to pool/main/r/ruby1.8/irb1.8_1.8.2-7sarge4_all.deb
libdbm-ruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_i386.deb
libgdbm-ruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_i386.deb
libopenssl-ruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_i386.deb
libreadline-ruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_i386.deb
libruby1.8-dbg_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_i386.deb
libruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_i386.deb
libtcltk-ruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_i386.deb
rdoc1.8_1.8.2-7sarge4_all.deb
  to pool/main/r/ruby1.8/rdoc1.8_1.8.2-7sarge4_all.deb
ri1.8_1.8.2-7sarge4_all.deb
  to pool/main/r/ruby1.8/ri1.8_1.8.2-7sarge4_all.deb
ruby1.8-dev_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_i386.deb
ruby1.8-elisp_1.8.2-7sarge4_all.deb
  to pool/main/r/ruby1.8/ruby1.8-elisp_1.8.2-7sarge4_all.deb
ruby1.8-examples_1.8.2-7sarge4_all.deb
  to pool/main/r/ruby1.8/ruby1.8-examples_1.8.2-7sarge4_all.deb
ruby1.8_1.8.2-7sarge4.diff.gz
  to pool/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4.diff.gz
ruby1.8_1.8.2-7sarge4.dsc
  to pool/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4.dsc
ruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
akira yamada <[EMAIL PROTECTED]> (supplier of updated ruby1.8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 13 Jul 2006 19:36:58 +0900
Source: ruby1.8
Binary: libtcltk-ruby1.8 libruby1.8-dbg rdoc1.8 libgdbm-ruby1.8 ruby1.8-dev 
ruby1.8-elisp ruby1.8-examples libdbm-ruby1.8 irb1.8 ruby1.8 
libreadline-ruby1.8 libopenssl-ruby1.8 libruby1.8 ri1.8
Architecture: source i386 all
Version: 1.8.2-7sarge4
Distribution: stable-security
Urgency: high
Maintainer: akira yamada <[EMAIL PROTECTED]>
Changed-By: akira yamada <[EMAIL PROTECTED]>
Description: 
 irb1.8     - Interactive Ruby (for Ruby 1.8)
 libdbm-ruby1.8 - DBM interface for Ruby 1.8
 libgdbm-ruby1.8 - GDBM interface for Ruby 1.8
 libopenssl-ruby1.8 - OpenSSL interface for Ruby 1.8
 libreadline-ruby1.8 - Readline interface for Ruby 1.8
 libruby1.8 - Libraries necessary to run Ruby 1.8
 libruby1.8-dbg - Debugging libraries for Ruby 1.8
 libtcltk-ruby1.8 - Tcl/Tk interface for Ruby 1.8
 rdoc1.8    - Generate documentation from Ruby source files (for Ruby 1.8)
 ri1.8      - Ruby Interactive reference (for Ruby 1.8)
 ruby1.8    - Interpreter of object-oriented scripting language Ruby 1.8
 ruby1.8-dev - Header files for compiling extension modules for the Ruby 1.8
 ruby1.8-elisp - ruby-mode for Emacsen
 ruby1.8-examples - Examples for Ruby 1.8
Closes: 378029
Changes: 
 ruby1.8 (1.8.2-7sarge4) stable-security; urgency=high
 .
   * akira yamada <[EMAIL PROTECTED]>
   - added debian/patches/903_JVN-83768862.patch and
     debian/patches/904_JVN-13947696.patch from Kobayashi Noritada
     (closes: #378029):
       - JVN#83768862: Alias features cannot handle safe levels correclty, so
         it can be safety bypass.
       - JVN#13947696: Some methods have defects that they can call other
         methods, which really should be prohibited, in safe level 4.
Files: 
 0f42db3f568c8a28797041bc76742a7b 1024 interpreters optional 
ruby1.8_1.8.2-7sarge4.dsc
 da280b20362a19963108500d237c3a8f 535830 interpreters optional 
ruby1.8_1.8.2-7sarge4.diff.gz
 3beddf1ae51a2725f8bf1877da2a4dba 151532 interpreters optional 
ruby1.8_1.8.2-7sarge4_i386.deb
 b16401fe0f1c0c5a0394434895d03bce 1349876 libs optional 
libruby1.8_1.8.2-7sarge4_i386.deb
 225bcd1dccde74c40d9cb481651eeb52 758398 libdevel extra 
libruby1.8-dbg_1.8.2-7sarge4_i386.deb
 1c8f2def939b021de558de46e6b716ac 622656 devel optional 
ruby1.8-dev_1.8.2-7sarge4_i386.deb
 9a562d9d0e760290d518c70fb43b1d03 134974 interpreters optional 
libdbm-ruby1.8_1.8.2-7sarge4_i386.deb
 189c3922b12e4edad0f4f295cf9ef20c 136230 interpreters optional 
libgdbm-ruby1.8_1.8.2-7sarge4_i386.deb
 7f4440175d0bfabf3cbb9d0fbf1e77fe 131962 interpreters optional 
libreadline-ruby1.8_1.8.2-7sarge4_i386.deb
 a558caaed9f6b83b7308e3d7e7577db8 1440060 interpreters optional 
libtcltk-ruby1.8_1.8.2-7sarge4_i386.deb
 ec8a78d370769c1c64be9f4469637db1 224910 interpreters optional 
libopenssl-ruby1.8_1.8.2-7sarge4_i386.deb
 603b6d3361826f30226b7b8b1f2a9c93 216598 interpreters optional 
ruby1.8-examples_1.8.2-7sarge4_all.deb
 dc06a6a0d4ae14b04ea3b21b92e66997 142548 interpreters optional 
ruby1.8-elisp_1.8.2-7sarge4_all.deb
 094e28cb85bcf7804cd7eeb84cff6e1f 704702 interpreters optional 
ri1.8_1.8.2-7sarge4_all.deb
 f40e4c9ddff692869af976134de0704a 234400 doc optional 
rdoc1.8_1.8.2-7sarge4_all.deb
 c82c13c986fda2d4e64c72cf3e368ca6 166472 interpreters optional 
irb1.8_1.8.2-7sarge4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE7MVvXm3vHE4uyloRAtsHAKDjom0g+8SpjxGpq2S8zztOKDraNQCgkf0M
3//ehxAqHZDrSv4RrDgeaqk=
=Q0Cy
-----END PGP SIGNATURE-----

--- End Message ---

Bug#378029: marked as done (ruby1.8: CVE-2006-3694, JVN#13947696, JVN#83768862: safety check bypass)

Reply via email to