Bug 1643089 (CVE-2018-16396) - CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives
Summary: CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and Strin...
Status: CLOSED ERRATA
Alias: CVE-2018-16396
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181017,repor...
Keywords: Security
Depends On: 1647502 1643091 1643092 1643631 1643633 1643635 1647503 1647504 1647505
Blocks: 1643090
TreeView+ depends on / blocked
 
Reported: 2018-10-25 13:37 UTC by Andrej Nemec
Modified: 2019-06-10 10:41 UTC (History)
27 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-06-10 10:41:03 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3729 None None None 2018-11-29 09:57 UTC
Red Hat Product Errata RHSA-2018:3730 None None None 2018-11-29 10:12 UTC
Red Hat Product Errata RHSA-2018:3731 None None None 2018-11-29 10:23 UTC

Description Andrej Nemec 2018-10-25 13:37:46 UTC
Array#pack method converts the receiver’s contents into a string with specified format. If the receiver contains some tainted objects, the returned string also should be tainted. String#unpack method which converts the receiver into an array also should propagate its tainted flag to the objects contained in the returned array. But, with B, b, H and h directives, the tainted flags are not propagated. So, if a script processes unreliable inputs by Array#pack and/or String#unpack with these directives and checks the reliability with tainted flags, the check might be wrong.

External References:

https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/

Comment 1 Andrej Nemec 2018-10-25 13:40:17 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1643091]

Comment 8 Scott Gayou 2018-11-07 16:00:28 UTC
RHEL*/RHSCL affected.

Comment 9 Doran Moppert 2018-11-19 05:01:24 UTC
Statement:

Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates.

Red Hat Virtualization includes a vulnerable version of ruby, however the affected functionality is not used in Red Hat Virtualization or any of its dependencies. A future update may address this issue.

Comment 10 errata-xmlrpc 2018-11-29 09:57:09 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3729

Comment 11 errata-xmlrpc 2018-11-29 10:12:00 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3730

Comment 12 errata-xmlrpc 2018-11-29 10:22:53 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3731 https://access.redhat.com/errata/RHSA-2018:3731


Note You need to log in before you can comment on or make changes to this bug.