Bug 1561948 (CVE-2018-8779) - CVE-2018-8779 ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket
Summary: CVE-2018-8779 ruby: Unintentional socket creation by poisoned NULL byte in UN...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-8779
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20180328,reported=2...
Depends On: 1561956 1561957 1561958 1563873 1563874 1565258 1569024 1569025 1569026 1569027 1569028 1651798 1652037 1652038
Blocks: 1561954
TreeView+ depends on / blocked
 
Reported: 2018-03-29 09:07 UTC by Adam Mariš
Modified: 2019-08-06 12:03 UTC (History)
29 users (show)

Fixed In Version: ruby 2.2.10, ruby 2.3.7, ruby 2.4.4, ruby 2.5.1
Doc Type: If docs needed, set a value
Doc Text:
It was found that the UNIXSocket::open and UNIXServer::open ruby methods did not handle the NULL byte properly. An attacker, able to inject NULL bytes in the socket path, could possibly trigger an unspecified behavior of the ruby script.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:19:05 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3729 None None None 2018-11-29 09:56:36 UTC
Red Hat Product Errata RHSA-2018:3730 None None None 2018-11-29 10:11:12 UTC
Red Hat Product Errata RHSA-2018:3731 None None None 2018-11-29 10:22:23 UTC
Red Hat Product Errata RHSA-2019:2028 None None None 2019-08-06 12:03:50 UTC

Description Adam Mariš 2018-03-29 09:07:36 UTC
UNIXServer.open accepts the path of the socket to be created at the first parameter. If the path contains NUL (\0) bytes, this method recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of this method, the attacker can make the socket file in the unintentional path. And, UNIXSocket.open also accepts the path of the socket to be created at the first parameter without checking NUL bytes like UNIXServer.open. So, if a script accepts an external input as the argument of this method, the attacker can accepts the socket file in the unintentional path.

Affected versions:

Ruby 2.2 series: 2.2.9 and earlier
Ruby 2.3 series: 2.3.6 and earlier
Ruby 2.4 series: 2.4.3 and earlier
Ruby 2.5 series: 2.5.0 and earlier

External References:

https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/

Comment 1 Adam Mariš 2018-03-29 09:14:42 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1561957]

Comment 6 Cedric Buissart 🐶 2018-04-18 08:23:46 UTC
Upstream fix : 
https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=62991

Comment 9 Cedric Buissart 🐶 2018-04-18 08:51:39 UTC
Mitigation:

It is possible to test for presence of the NULL byte manually prior to call the affected methods.

Comment 11 Cedric Buissart 🐶 2018-04-18 09:03:35 UTC
ruby version 1.8 does not appear to be vulnerable : the method correctly triggers an ArgumentError.

Comment 13 Eric Christensen 2018-04-19 14:18:55 UTC
Statement:

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 14 Jun Aruga 2018-11-16 16:27:24 UTC
> Upstream fix : 
> https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=62991

Above shows r62991. 
It is better to add r63000 too.

trunk branch
r62991: https://github.com/ruby/ruby/commit/8794dec6a5f11adc5cdd19a5ee91ea6b0816763f
r63000: https://github.com/ruby/ruby/commit/b78fa27ae0b717c5569878c106a67d5047e5fb88

> Ruby 2.2 series: 2.2.9 and earlier

ruby_2_2 branch:
A commit merged from both r62991 and r63000.
https://github.com/ruby/ruby/commit/47165eed264d357e78e27371cfef20d5c2bde5d9

> Ruby 2.3 series: 2.3.6 and earlier
> Ruby 2.4 series: 2.4.3 and earlier
> Ruby 2.5 series: 2.5.0 and earlier

Search by below string.

```
merge revision(s) 62991,63000:    
unixsocket.c: check NUL bytes
unixsocket.c: abstract namespace
```

Comment 17 errata-xmlrpc 2018-11-29 09:56:26 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3729

Comment 18 errata-xmlrpc 2018-11-29 10:10:59 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3730

Comment 19 errata-xmlrpc 2018-11-29 10:22:13 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3731 https://access.redhat.com/errata/RHSA-2018:3731

Comment 20 errata-xmlrpc 2019-08-06 12:03:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2028 https://access.redhat.com/errata/RHSA-2019:2028


Note You need to log in before you can comment on or make changes to this bug.