Secunia has reported this issue: A vulnerability has been reported in Ruby, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is due in an error in "eval.c" in enforcing safe-level protections. This can be exploited to execute certain insecure methods.
Created attachment 119436 [details] Patch from upstream
Akira, I have no idea if this issue will affect RHEL2.1 or RHEL3. I've spent some time today trying to understand this issue, but my ruby knowledge isn't good enough to come up with an example exploit. Any input you have on this issue would be appreciated. Thanks.
Created attachment 119533 [details] a test script to reproduce
Created attachment 119534 [details] an input file for test1.rb
Created attachment 119535 [details] test2.rb: another test script to reproduce.
Created attachment 119536 [details] an input file for test2.rb
Created attachment 119537 [details] test2.rb: another test script to reproduce.
Comment #2: Thank you for filing a bug, Josh. Yes, this problem also affects to 2.1 and 3 as well. and I've attached the examples to reproduce this problem. ruby has to stop the running by SecurityError - it should be out of Thread - but current ruby doesn't. # ruby test1.rb < test1.in Length = 1926 Contents = root:x:0:0:root:/root:/bin/bash .... # ruby test2.rb < test2.in "5" writing to "good-5.txt" (5 bytes)... 5 bytes written to "bad-file0.txt". File.open thing was commented out intentionally though. so please uncomment it before testing.
Well, that patch doesn't work for 1.8.1 we shipped.
Ok, I've finished to make all version of patches for us and the packages has been built in beehive now. In dist-2.1AS-errata-candidate: ruby-1.6.4-2.AS21.2 In dist-3.0E-errata-candidate: ruby-1.6.8-9.EL3.4 In dist-4E-errata-candidate: ruby-1.8.1-7.EL4.2 are available. I've tested them with the above testcases on each environments, and works fine for me.
This issue is going to be fixed by RHSA-2005:799
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-799.html