Bug 169575

Summary: CAN-2005-2337 ruby safe-level mode bypass
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: rubyAssignee: Akira TAGOH <tagoh>
Status: CLOSED ERRATA QA Contact: Bill Huang <bhuang>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/16904/
Whiteboard: impact=moderate,source=secunia,public=20050923
Fixed In Version: RHSA-2005-799 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-11 16:01:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch from upstream
none
a test script to reproduce
none
an input file for test1.rb
none
test2.rb: another test script to reproduce.
none
an input file for test2.rb
none
test2.rb: another test script to reproduce. none

Description Josh Bressers 2005-09-29 19:49:57 UTC 
Secunia has reported this issue:

A vulnerability has been reported in Ruby, which can be exploited by malicious
people to bypass certain security restrictions.

The vulnerability is due in an error in "eval.c" in enforcing safe-level
protections. This can be exploited to execute certain insecure methods.
Comment 1 Josh Bressers 2005-09-29 19:49:57 UTC 
Created attachment 119436 [details]
Patch from upstream
Comment 2 Josh Bressers 2005-09-29 19:52:22 UTC 
Akira,

I have no idea if this issue will affect RHEL2.1 or RHEL3.  I've spent some time
today trying to understand this issue, but my ruby knowledge isn't good enough
to come up with an example exploit.

Any input you have on this issue would be appreciated.

Thanks.
Comment 3 Akira TAGOH 2005-10-03 08:16:29 UTC 
Created attachment 119533 [details]
a test script to reproduce
Comment 4 Akira TAGOH 2005-10-03 08:17:06 UTC 
Created attachment 119534 [details]
an input file for test1.rb
Comment 5 Akira TAGOH 2005-10-03 08:17:52 UTC 
Created attachment 119535 [details]
test2.rb: another test script to reproduce.
Comment 6 Akira TAGOH 2005-10-03 08:18:30 UTC 
Created attachment 119536 [details]
an input file for test2.rb
Comment 7 Akira TAGOH 2005-10-03 08:46:03 UTC 
Created attachment 119537 [details]
test2.rb: another test script to reproduce.
Comment 8 Akira TAGOH 2005-10-03 08:55:24 UTC 
Comment #2:
Thank you for filing a bug, Josh. Yes, this problem also affects to 2.1 and 3 as
well. and I've attached the examples to reproduce this problem. ruby has to stop
the running by SecurityError - it should be out of Thread - but current ruby
doesn't.

# ruby test1.rb < test1.in
Length = 1926
Contents = root:x:0:0:root:/root:/bin/bash
....
# ruby test2.rb < test2.in
"5"
writing to "good-5.txt" (5 bytes)...
5 bytes written to "bad-file0.txt".

File.open thing was commented out intentionally though. so please uncomment it
before testing.
Comment 9 Akira TAGOH 2005-10-05 04:21:21 UTC 
Well, that patch doesn't work for 1.8.1 we shipped.
Comment 10 Akira TAGOH 2005-10-05 09:09:17 UTC 
Ok, I've finished to make all version of patches for us and the packages has
been built in beehive now.

In dist-2.1AS-errata-candidate: ruby-1.6.4-2.AS21.2
In dist-3.0E-errata-candidate: ruby-1.6.8-9.EL3.4
In dist-4E-errata-candidate: ruby-1.8.1-7.EL4.2

are available. I've tested them with the above testcases on each environments,
and works fine for me.
Comment 11 Josh Bressers 2005-10-05 18:49:59 UTC 
This issue is going to be fixed by RHSA-2005:799
Comment 13 Red Hat Bugzilla 2005-10-11 16:01:58 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-799.html