Bug 450821 (CVE-2008-2662)

Summary: CVE-2008-2662 ruby: Integer overflows in rb_str_buf_append()
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kreilly, tagoh, tmz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.8.6.230-1.fc9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-26 06:02:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 451926, 451927, 451928, 451929, 452293, 452294, 452295    
Bug Blocks:    
Attachments:
Description Flags
Drew Yao's proposed patch agains ruby 1.8.5
none
Drew Yao's proposed patch agains ruby 1.9
none
Upstream patch against 1.8.6
none
Upstream patch against 1.9
none
Fixed upstream patch for 1.8.6 none

Description Tomas Hoger 2008-06-11 08:38:05 UTC 
Drew Yao of the Apple Product Security team reported an integer overflow leading
to a memory mis-allocation and heap overflow in the rb_str_buf_append() function
used by ruby interpreter for handling strings.  This can be used to crash and
possibly execute arbitrary code with the privileges of Ruby application which
use untrusted input in string operations.

Acknowledgements:

Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.
Comment 1 Tomas Hoger 2008-06-11 08:40:31 UTC 
Created attachment 308901 [details]
Drew Yao's proposed patch agains ruby 1.8.5
Comment 2 Tomas Hoger 2008-06-11 08:41:06 UTC 
Created attachment 308902 [details]
Drew Yao's proposed patch agains ruby 1.9
Comment 5 Tomas Hoger 2008-06-17 18:25:47 UTC 
Created attachment 309653 [details]
Upstream patch against 1.8.6

Upstream patch for CVE-2008-266[234], CVE-2008-272[56] against ruby 1.8.6.
Comment 6 Tomas Hoger 2008-06-17 18:28:45 UTC 
Created attachment 309654 [details]
Upstream patch against 1.9

Upstream patch for CVE-2008-2662 and CVE-2008-2726 against ruby 1.9.
Comment 8 Tomas Hoger 2008-06-20 18:52:38 UTC 
Public now, lifting embargo:
http://preview.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities

Upstream released fixed versions:
1.8.5-p231, 1.8.6-p230, 1.8.7-p22, 1.9.0-2

Patches applied upstream:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17460
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17472
Comment 10 Todd Zullinger 2008-06-21 21:52:36 UTC 
Created attachment 309982 [details]
Fixed upstream patch for 1.8.6

The patches previously attached suffer from missing whitespace at the beginning
of each line.  This patch for 1.8.6 is corrected.  It was generated via:

svn diff -c 17460
http://svn.ruby-lang.org/repos/ruby/branches/ruby_1_8_6/{array.c,intern.h,sprintf.c,string.c}


Hope this helps.
Comment 11 Tomas Hoger 2008-06-23 08:29:40 UTC 
More public information about theses issues, along with some test cases:

http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

However, there are also multiple posts mentioning problems when upgrading to
current upstream patch levels, most notably reports of new ruby breaking Rails:

http://groups.google.com/group/pdxruby/browse_thread/thread/85e18ef452fa1c7a
http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities
http://www.ruby-forum.com/topic/157034

It does not seem to be clear from the discussions, if the problems are caused by
the security fixes or other changes since previous patch level (probably more
likely).
Comment 14 Fedora Update System 2008-06-25 02:50:48 UTC 
ruby-1.8.6.230-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-06-25 02:52:13 UTC 
ruby-1.8.6.230-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Tomas Hoger 2008-06-25 06:03:56 UTC 
According to the additional information from Drew, the regression in upstream
release was caused by the introduction of str_buf_cat (see SVN rev 17472).

  http://www.openwall.com/lists/oss-security/2008/06/24/3

Issue can be triggered by:

  ruby -ve 'str = "A"*(2**16) ; loop{ str << str ; puts str.size }'

Problem affects updates Fedora packages:

$ ruby -ve 'str = "A"*(2**16) ; 0.upto(10) { str << str ; puts str.size }'
ruby 1.8.6 (2008-06-20 patchlevel 230) [x86_64-linux]
131072
262144
-e:1: [BUG] Segmentation fault
ruby 1.8.6 (2008-06-20) [x86_64-linux]

Aborted

While on -114:

$ ruby -ve 'str = "A"*(2**16) ; 0.upto(10) { str << str ; puts str.size }'
ruby 1.8.6 (2008-03-03 patchlevel 114) [x86_64-linux]
131072
262144
524288
1048576
2097152
4194304
8388608
16777216
33554432
67108864
134217728

Following upstream commit should resolve this issue:

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17530
Comment 19 Red Hat Product Security 2008-07-21 09:29:47 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0561.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5649
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5664