Bug 862598 (CVE-2012-4464)

Summary: CVE-2012-4464 ruby 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bkabrda, jrusnack, mfisher, mmcgrath, mmorsi, mtasaka, tagoh, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120928,reported=20120929,source=debian,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,rhel-5/ruby=notaffected,rhel-6/ruby=notaffected,fedora-16/ruby=notaffected,fedora-17/ruby=affected,openshift-1/ruby193=affected,openshift-enterprise-1/ruby193=affected,cwe=CWE-266
Fixed In Version: ruby 1.9.3p286 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-28 17:18:03 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 839530, 862907, 863315, 904020    
Bug Blocks: 767033    

Description Jan Lieskovsky 2012-10-03 06:59:07 EDT
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1005 to the following vulnerability:

The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.

Later it was reported:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689075
[2] http://www.openwall.com/lists/oss-security/2012/10/02/4

that upstream ruby 1.9.1 and ruby 1.9.3 versions are also vulnerable to this flaw.

Relevant upstream patch:
[3] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
Comment 1 Jan Lieskovsky 2012-10-03 07:01:16 EDT
Upstream public reproducer for the CVE-2011-1005 issue (from:

$secret_path = "foo"

proc do
    $SAFE = 4
    $secret_path.replace "/etc/passwd"

open($secret_path) do

which can be used to test presence of the issue.
Comment 2 Jan Lieskovsky 2012-10-03 07:05:24 EDT
This issue did NOT affect the versions of the ruby package, as shipped with Red Hat Enterprise Linux 5 and 6 (refer to bug #678920 for further information about this flaw in ruby 1.8.x and earlier versions).


This issue did NOT affect the version of the ruby package, as shipped with Fedora release of 16.


This issue affects the version of the ruby package, as shipped with Fedora 17. Please schedule an update.
Comment 3 Vincent Danen 2012-10-03 16:49:51 EDT
Based on comments reported to oss-sec, there are actually two issues here:

1) CVE-2011-1005 was never reported to affect ruby 1.9.x, but it was later introduced (or re-introduced) on trunk, via r29456.  So ruby 1.9.3-p0 and later is affected by the same flaw that was assigned CVE-2011-1005 in 1.8.x (it's been assigned the name CVE-2012-4464)

2) The name_err_mesg_to_str() function has a similar flaw, and it affects both 1.8.x and 1.9.3-p0 and later.  This was assigned the name CVE-2012-4466.

CVE assignments and explanations:


We'll keep this bug for CVE-2012-4464, and bug #862906 for CVE-2012-4466.
Comment 4 Vincent Danen 2012-10-03 16:53:14 EDT

Not vulnerable. This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6 as they did not provide version 1.9.x, which is the vulnerable version of ruby.
Comment 5 Jan Lieskovsky 2012-10-04 04:57:01 EDT
Created ruby tracking bugs for this issue

Affects: fedora-all [bug 862907]
Comment 8 errata-xmlrpc 2013-02-28 14:08:12 EST
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html