Bug 1793683 (CVE-2019-16255)
| Summary: | CVE-2019-16255 ruby: Code injection via command argument of Shell#test / Shell#[] | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | amasferr, chazlett, hhorak, jorton, mo, mtasaka, pvalena, ruby-maint, ruby-packagers-sig, s, strzibny, vanmeeuwen+fedora, vondruch |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ruby 2.4.8, ruby 2.5.7, ruby 2.6.5, ruby 2.7.0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-26 11:32:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1796525, 1796526, 1796527, 1796528, 1796529, 1796530, 1954948, 1955052, 1957123, 2055230, 2055239 | ||
| Bug Blocks: | 1793685 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-01-21 19:57:11 UTC
HackerOne report: https://hackerone.com/reports/327512 (Note that the Severity noted in the report is "None (0.0)". It also took upstream 15+ months to create patch since the initial acknowledgement of the report.) Upstream commit in the Ruby git: https://github.com/ruby/ruby/commit/d6adc68dc9c74a33b3ca012af171e2d59f0dea10 Upstream commit in the Ruby Shell git: https://github.com/ruby/shell/commit/5d8223f9b4695121ec1ba2e1eabca414f33c6252 This issue was fixed in Ruby 2.6.5, 2.5.7, and 2.4.8: https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/ https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/ https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-4-8-released/ This flaw exists in the Shell module in the Ruby standard library, specifically in the test() / [] method (the two names are aliases for the same method). This method accepts two or three arguments - command and one or two file names. However, this method is rather poorly documented, with documentation not explaining what the command argument is supposed to be: https://ruby-doc.org/stdlib-2.6.5/libdoc/shell/rdoc/Shell/CommandProcessor.html#method-i-test "Tests if the given command exists in file1, or optionally file2." The Shell#test() method is a wrapper around FileTest, which implements various file-related tests, such as checks for file existence and type, file permissions, or size: https://ruby-doc.org/core-2.6.5/FileTest.html The command passed to the Shell#test is supposed to be a FileTest's method to be called. The Shell#test can be used as: ``` sh = Shell.new # does /etc exist? sh.test('exists?', '/etc/') # is /etc a regular file? sh.test('file?', '/etc/') # is /etc a directory? sh.test('directory?', '/etc/') # what is /etc's size? sh.test('size', '/etc/') ``` The problem tracked via this CVE is that the Shell#test implementation allowed calling not only methods directly implemented by the FileTest, but also methods inherited from the parent classes. These methods may be used to achieve arbitrary code execution. However, this problem can only have security implications in situations when untrusted input is directly passed to Shell#test as its command argument. Additionally, untrusted file name value is also required to provide the right payload to the method called via the command argument. Such use cases seem rather unlikely and may also indicate another problem in the Ruby application. Upstream advisory notes: """ Note that passing untrusted data to methods of Shell is dangerous in general. Users must never do it. However, we treat this particular case as a vulnerability because the purpose of Shell#[] and Shell#test is considered file testing. """ This problem would affect very few applications, if any. The original HackerOne report does not indicate any real-world application exposing this problem. Lowering impact rating based on the information above - while this in theory has high impact (arbitrary code execution), it's rather unlikely to be a problem in any relevant real-world use case. @chazlett is this change intentional? ~~~ Fixed In Version: ruby 2.6.5, ruby 2.5.7, ruby 2.4.8 → ruby 2.4.8, ruby 2.5.7, ruby 2.6.5, ruby 2.7.0 ~~~ I wonder, because shell library is not part of ruby 2.7, therefore it was not vulnerable and there is nothing to fix. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16255 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582 |