Bug 169575 - CAN-2005-2337 ruby safe-level mode bypass
Summary: CAN-2005-2337 ruby safe-level mode bypass
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: ruby
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Akira TAGOH
QA Contact: Bill Huang
URL: http://secunia.com/advisories/16904/
Whiteboard: impact=moderate,source=secunia,public...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-09-29 19:49 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: RHSA-2005-799
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-10-11 16:01:58 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Patch from upstream (2.97 KB, patch)
2005-09-29 19:49 UTC, Josh Bressers
no flags Details | Diff
a test script to reproduce (153 bytes, text/plain)
2005-10-03 08:16 UTC, Akira TAGOH
no flags Details
an input file for test1.rb (114 bytes, text/plain)
2005-10-03 08:17 UTC, Akira TAGOH
no flags Details
test2.rb: another test script to reproduce. (332 bytes, text/plain)
2005-10-03 08:17 UTC, Akira TAGOH
no flags Details
an input file for test2.rb (138 bytes, text/plain)
2005-10-03 08:18 UTC, Akira TAGOH
no flags Details
test2.rb: another test script to reproduce. (333 bytes, text/plain)
2005-10-03 08:46 UTC, Akira TAGOH
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:799 0 normal SHIPPED_LIVE Moderate: ruby security update 2005-10-11 04:00:00 UTC

Description Josh Bressers 2005-09-29 19:49:57 UTC
Secunia has reported this issue:

A vulnerability has been reported in Ruby, which can be exploited by malicious
people to bypass certain security restrictions.

The vulnerability is due in an error in "eval.c" in enforcing safe-level
protections. This can be exploited to execute certain insecure methods.

Comment 1 Josh Bressers 2005-09-29 19:49:57 UTC
Created attachment 119436 [details]
Patch from upstream

Comment 2 Josh Bressers 2005-09-29 19:52:22 UTC
Akira,

I have no idea if this issue will affect RHEL2.1 or RHEL3.  I've spent some time
today trying to understand this issue, but my ruby knowledge isn't good enough
to come up with an example exploit.

Any input you have on this issue would be appreciated.

Thanks.

Comment 3 Akira TAGOH 2005-10-03 08:16:29 UTC
Created attachment 119533 [details]
a test script to reproduce

Comment 4 Akira TAGOH 2005-10-03 08:17:06 UTC
Created attachment 119534 [details]
an input file for test1.rb

Comment 5 Akira TAGOH 2005-10-03 08:17:52 UTC
Created attachment 119535 [details]
test2.rb: another test script to reproduce.

Comment 6 Akira TAGOH 2005-10-03 08:18:30 UTC
Created attachment 119536 [details]
an input file for test2.rb

Comment 7 Akira TAGOH 2005-10-03 08:46:03 UTC
Created attachment 119537 [details]
test2.rb: another test script to reproduce.

Comment 8 Akira TAGOH 2005-10-03 08:55:24 UTC
Comment #2:
Thank you for filing a bug, Josh. Yes, this problem also affects to 2.1 and 3 as
well. and I've attached the examples to reproduce this problem. ruby has to stop
the running by SecurityError - it should be out of Thread - but current ruby
doesn't.

# ruby test1.rb < test1.in
Length = 1926
Contents = root:x:0:0:root:/root:/bin/bash
....
# ruby test2.rb < test2.in
"5"
writing to "good-5.txt" (5 bytes)...
5 bytes written to "bad-file0.txt".

File.open thing was commented out intentionally though. so please uncomment it
before testing.

Comment 9 Akira TAGOH 2005-10-05 04:21:21 UTC
Well, that patch doesn't work for 1.8.1 we shipped.

Comment 10 Akira TAGOH 2005-10-05 09:09:17 UTC
Ok, I've finished to make all version of patches for us and the packages has
been built in beehive now.

In dist-2.1AS-errata-candidate: ruby-1.6.4-2.AS21.2
In dist-3.0E-errata-candidate: ruby-1.6.8-9.EL3.4
In dist-4E-errata-candidate: ruby-1.8.1-7.EL4.2

are available. I've tested them with the above testcases on each environments,
and works fine for me.

Comment 11 Josh Bressers 2005-10-05 18:49:59 UTC
This issue is going to be fixed by RHSA-2005:799

Comment 13 Red Hat Bugzilla 2005-10-11 16:01:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-799.html



Note You need to log in before you can comment on or make changes to this bug.