Bug 892221

Summary: rubygem-ruby_parser: Incorrect usage of file in /tmp/ ( /usr/share/gems/gems/ruby_parser-2.0.4/lib/gauntlet_rubyparser.rb ) [fedora-all]
Product: [Fedora] Fedora Reporter: Michael S. <misc>
Component: rubygem-ruby_parserAssignee: Mo Morsi <mmorsi>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 20CC: security-response-team, vdanen, vondruch
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: , fst_ping=1
Fixed In Version: rubygem-ruby_parser-3.6.1-1.fc21 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-15 17:02:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 892806    
Attachments:
Description Flags
tentative patch to fix the issue none

Description Michael S. 2013-01-05 23:57:42 UTC 
Looking for incorrect /tmp/ usage, I found the following piece of code in /usr/share/gems/gems/ruby_parser-2.0.4/lib/gauntlet_rubyparser.rb

  def diff_pp o1, o2
    require 'pp'

    File.open("/tmp/a.#{$$}", "w") do |f|
      PP.pp o1, f
    end

    File.open("/tmp/b.#{$$}", "w") do |f|
      PP.pp o2, f
    end

    `diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
  ensure
    File.unlink "/tmp/a.#{$$}" rescue nil
    File.unlink "/tmp/b.#{$$}" rescue nil
  end

Basically, if someone create a link from /tmp/a.1234, this could result in either a denial of service ( if the file cannot be written due to wrong permissions ), or into a file injection ( if someone use a symlink to another file, like ~/.ssh/authorized_keys, and do not have restriction on this using yama on kernel 3.6 ).

For security team, this is shipped as part of the cloudforms channel for RHEL on RHN, but I am not sure if that function is used, and I think it is not. 

The package is used on epel 5, 6 and all versions of Fedora.

No CVE have been asked for now, and upstream was not yet notified yet. And this issue is still secret so far.
Comment 1 Michael S. 2013-01-06 00:01:36 UTC 
In fact, this package is likely requested by all of our software that use rails ( aeolus, foreman, openshift origin ), so more than 1 channel may need to be updated ( I hope this is automatic )

$ repoquery --whatrequires 'rubygem(ruby_parser)'
rubygem-haml-0:3.1.6-1.fc18.noarch
rubygem-ruby2ruby-0:1.2.4-7.fc18.noarch

$ repoquery --whatrequires 'rubygem(ruby2ruby)'  
rubygem-thor-0:0.14.6-6.fc18.noarch

$ repoquery --whatrequires 'rubygem(thor)'     
rubygem-bundler-0:1.1.4-2.fc18.noarch
rubygem-jquery-rails-0:2.0.2-1.fc18.noarch
rubygem-railties-0:3.2.8-1.fc18.noarch

$ repoquery --whatrequires 'rubygem(bundler)'
rubygem-appraisal-0:0.5.1-1.fc18.noarch
rubygem-rails-1:3.2.8-1.fc18.noarch

$ repoquery --whatrequires 'rubygem(rails)'  
aeolus-conductor-0:0.10.6-2.fc18.noarch
openshift-origin-broker-0:0.6.17-3.fc18.noarch
rubygem-apipie-rails-0:0.0.13-2.fc18.noarch
rubygem-cucumber-rails-0:1.3.0-1.fc18.noarch
rubygem-declarative_authorization-0:0.5.6-1.fc18.noarch
rubygem-gettext_i18n_rails-0:0.6.6-1.fc18.noarch
rubygem-rails_warden-0:0.5.7-1.fc18.noarch
Comment 2 Vincent Danen 2013-01-07 21:53:17 UTC 
Michael, thanks for this.  Did you intend on informing upstream of this issue?
Comment 3 Michael S. 2013-01-07 22:14:12 UTC 
I plan to send a patch once I have time ( likely in 1 or 2 days, depend on the number of people in the train tomorrow morning ). 

Should I ask upstream for a embargo, or the issue is mundane enough to not require it ? 

( I think that's minor enough but maybe we want to first prepare package and then announce it ? )
Comment 4 Michael S. 2013-01-07 22:56:30 UTC 
Created attachment 674402 [details]
tentative patch to fix the issue

I created a patch, but the tests are failling on git head :

1226 tests, 5615 assertions, 446 failures, 3 errors, 0 skips
rake aborted!

however, my patch do not add new failures. But I am not sure this part is tested.
So that's without guarantee. I will contact upstream tomorrow morning

And looking at Fedora, we do not have gauntlet ( https://github.com/seattlerb/gauntlet ), and the faulty code is in a plugin for this module. So I am pretty sure the code path is not widely used ( so no urgency ).
Comment 5 Michael S. 2013-01-12 19:14:18 UTC 
Upstream have been notified by mail, along with the patch.
Comment 6 Vincent Danen 2013-04-04 02:01:12 UTC 
This still needs to be corrected in Fedora, does it not?
Comment 7 Fedora End Of Life 2013-12-21 15:16:38 UTC 
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 8 Michael S. 2013-12-22 12:36:18 UTC 
Still valid.
Comment 9 Vít Ondruch 2014-07-14 12:20:37 UTC 
This was fixed by ruby_parser 3.1.2

https://github.com/seattlerb/ruby_parser/commit/506c7e13cff6f8715385fa8488b621028b4ad280

The entire file was later removed in ruby_parser 3.4.0 by

https://github.com/seattlerb/ruby_parser/commit/50d20b9915cd93a3abfe16901828deb289d8d6b0

Since this is going to be fixed in F21 now, I change the version back to F20
Comment 10 Eric Christensen 2014-10-27 14:20:52 UTC 
Sorry, removed wrong CC.
Comment 11 pjp 2015-04-09 17:31:57 UTC 
Hello mmorsi,

You plan to fix this soon?
Comment 12 Fedora End Of Life 2015-05-29 08:50:36 UTC 
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 13 Mo Morsi 2015-06-15 17:02:35 UTC 
Hey pjp sorry for the belated response on this one. Since this is fixed in F21+ and F20 is EOL I'm going to close this as won't fix. If anyone needs this let me know.