Bug 1561948 (CVE-2018-8779)

Summary: CVE-2018-8779 ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bkearney, cbillett, ccoleman, cpelland, dajohnso, dedgar, dmcphers, gblomqui, gmccullo, gtanzill, hhorak, hhudgeon, jaruga, jfrey, jgoulding, jhardy, jorton, jprause, mtasaka, obarenbo, pvalena, roliveri, ruby-maint, simaishi, s, strzibny, tomckay, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ruby 2.2.10, ruby 2.3.7, ruby 2.4.4, ruby 2.5.1 Doc Type: If docs needed, set a value
Doc Text:
It was found that the UNIXSocket::open and UNIXServer::open ruby methods did not handle the NULL byte properly. An attacker, able to inject NULL bytes in the socket path, could possibly trigger an unspecified behavior of the ruby script.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:19:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1561956, 1561957, 1561958, 1563873, 1563874, 1565258, 1569024, 1569025, 1569026, 1569027, 1569028, 1651798, 1652037, 1652038    
Bug Blocks: 1561954    

Description Adam Mariš 2018-03-29 09:07:36 UTC 
UNIXServer.open accepts the path of the socket to be created at the first parameter. If the path contains NUL (\0) bytes, this method recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of this method, the attacker can make the socket file in the unintentional path. And, UNIXSocket.open also accepts the path of the socket to be created at the first parameter without checking NUL bytes like UNIXServer.open. So, if a script accepts an external input as the argument of this method, the attacker can accepts the socket file in the unintentional path.

Affected versions:

Ruby 2.2 series: 2.2.9 and earlier
Ruby 2.3 series: 2.3.6 and earlier
Ruby 2.4 series: 2.4.3 and earlier
Ruby 2.5 series: 2.5.0 and earlier

External References:

https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
Comment 1 Adam Mariš 2018-03-29 09:14:42 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1561957]
Comment 6 Cedric Buissart 2018-04-18 08:23:46 UTC 
Upstream fix : 
https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=62991
Comment 9 Cedric Buissart 2018-04-18 08:51:39 UTC 
Mitigation:

It is possible to test for presence of the NULL byte manually prior to call the affected methods.
Comment 11 Cedric Buissart 2018-04-18 09:03:35 UTC 
ruby version 1.8 does not appear to be vulnerable : the method correctly triggers an ArgumentError.
Comment 13 Eric Christensen 2018-04-19 14:18:55 UTC 
Statement:

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 14 Jun Aruga 2018-11-16 16:27:24 UTC 
> Upstream fix : 
> https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=62991

Above shows r62991. 
It is better to add r63000 too.

trunk branch
r62991: https://github.com/ruby/ruby/commit/8794dec6a5f11adc5cdd19a5ee91ea6b0816763f
r63000: https://github.com/ruby/ruby/commit/b78fa27ae0b717c5569878c106a67d5047e5fb88

> Ruby 2.2 series: 2.2.9 and earlier

ruby_2_2 branch:
A commit merged from both r62991 and r63000.
https://github.com/ruby/ruby/commit/47165eed264d357e78e27371cfef20d5c2bde5d9

> Ruby 2.3 series: 2.3.6 and earlier
> Ruby 2.4 series: 2.4.3 and earlier
> Ruby 2.5 series: 2.5.0 and earlier

Search by below string.

```
merge revision(s) 62991,63000:    
unixsocket.c: check NUL bytes
unixsocket.c: abstract namespace
```
Comment 17 errata-xmlrpc 2018-11-29 09:56:26 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3729
Comment 18 errata-xmlrpc 2018-11-29 10:10:59 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3730
Comment 19 errata-xmlrpc 2018-11-29 10:22:13 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3731 https://access.redhat.com/errata/RHSA-2018:3731
Comment 20 errata-xmlrpc 2019-08-06 12:03:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2028 https://access.redhat.com/errata/RHSA-2019:2028