Red Hat Bugzilla – Bug 1643089
CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives
Last modified: 2018-10-25 09:41:25 EDT
Array#pack method converts the receiver’s contents into a string with specified format. If the receiver contains some tainted objects, the returned string also should be tainted. String#unpack method which converts the receiver into an array also should propagate its tainted flag to the objects contained in the returned array. But, with B, b, H and h directives, the tainted flags are not propagated. So, if a script processes unreliable inputs by Array#pack and/or String#unpack with these directives and checks the reliability with tainted flags, the check might be wrong. External References: https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1643091]
Upstream patch: https://github.com/ruby/ruby/commit/a2958f6743664006d21fc0bafd4ca6214df1d429