Bug 169575 - CAN-2005-2337 ruby safe-level mode bypass
CAN-2005-2337 ruby safe-level mode bypass
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: ruby (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Akira TAGOH
Bill Huang
http://secunia.com/advisories/16904/
impact=moderate,source=secunia,public...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-29 15:49 EDT by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHSA-2005-799
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-11 12:01:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch from upstream (2.97 KB, patch)
2005-09-29 15:49 EDT, Josh Bressers
no flags Details | Diff
a test script to reproduce (153 bytes, text/plain)
2005-10-03 04:16 EDT, Akira TAGOH
no flags Details
an input file for test1.rb (114 bytes, text/plain)
2005-10-03 04:17 EDT, Akira TAGOH
no flags Details
test2.rb: another test script to reproduce. (332 bytes, text/plain)
2005-10-03 04:17 EDT, Akira TAGOH
no flags Details
an input file for test2.rb (138 bytes, text/plain)
2005-10-03 04:18 EDT, Akira TAGOH
no flags Details
test2.rb: another test script to reproduce. (333 bytes, text/plain)
2005-10-03 04:46 EDT, Akira TAGOH
no flags Details

  None (edit)
Description Josh Bressers 2005-09-29 15:49:57 EDT
Secunia has reported this issue:

A vulnerability has been reported in Ruby, which can be exploited by malicious
people to bypass certain security restrictions.

The vulnerability is due in an error in "eval.c" in enforcing safe-level
protections. This can be exploited to execute certain insecure methods.
Comment 1 Josh Bressers 2005-09-29 15:49:57 EDT
Created attachment 119436 [details]
Patch from upstream
Comment 2 Josh Bressers 2005-09-29 15:52:22 EDT
Akira,

I have no idea if this issue will affect RHEL2.1 or RHEL3.  I've spent some time
today trying to understand this issue, but my ruby knowledge isn't good enough
to come up with an example exploit.

Any input you have on this issue would be appreciated.

Thanks.
Comment 3 Akira TAGOH 2005-10-03 04:16:29 EDT
Created attachment 119533 [details]
a test script to reproduce
Comment 4 Akira TAGOH 2005-10-03 04:17:06 EDT
Created attachment 119534 [details]
an input file for test1.rb
Comment 5 Akira TAGOH 2005-10-03 04:17:52 EDT
Created attachment 119535 [details]
test2.rb: another test script to reproduce.
Comment 6 Akira TAGOH 2005-10-03 04:18:30 EDT
Created attachment 119536 [details]
an input file for test2.rb
Comment 7 Akira TAGOH 2005-10-03 04:46:03 EDT
Created attachment 119537 [details]
test2.rb: another test script to reproduce.
Comment 8 Akira TAGOH 2005-10-03 04:55:24 EDT
Comment #2:
Thank you for filing a bug, Josh. Yes, this problem also affects to 2.1 and 3 as
well. and I've attached the examples to reproduce this problem. ruby has to stop
the running by SecurityError - it should be out of Thread - but current ruby
doesn't.

# ruby test1.rb < test1.in
Length = 1926
Contents = root:x:0:0:root:/root:/bin/bash
....
# ruby test2.rb < test2.in
"5"
writing to "good-5.txt" (5 bytes)...
5 bytes written to "bad-file0.txt".

File.open thing was commented out intentionally though. so please uncomment it
before testing.
Comment 9 Akira TAGOH 2005-10-05 00:21:21 EDT
Well, that patch doesn't work for 1.8.1 we shipped.
Comment 10 Akira TAGOH 2005-10-05 05:09:17 EDT
Ok, I've finished to make all version of patches for us and the packages has
been built in beehive now.

In dist-2.1AS-errata-candidate: ruby-1.6.4-2.AS21.2
In dist-3.0E-errata-candidate: ruby-1.6.8-9.EL3.4
In dist-4E-errata-candidate: ruby-1.8.1-7.EL4.2

are available. I've tested them with the above testcases on each environments,
and works fine for me.
Comment 11 Josh Bressers 2005-10-05 14:49:59 EDT
This issue is going to be fixed by RHSA-2005:799
Comment 13 Red Hat Bugzilla 2005-10-11 12:01:58 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-799.html

Note You need to log in before you can comment on or make changes to this bug.