Bug 450821 - (CVE-2008-2662) CVE-2008-2662 ruby: Integer overflows in rb_str_buf_append()
CVE-2008-2662 ruby: Integer overflows in rb_str_buf_append()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20080605,pu...
: Security
Depends On: 451926 451927 451928 451929 452293 452294 452295
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-11 04:38 EDT by Tomas Hoger
Modified: 2016-03-04 07:13 EST (History)
3 users (show)

See Also:
Fixed In Version: 1.8.6.230-1.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-26 02:02:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Drew Yao's proposed patch agains ruby 1.8.5 (395 bytes, patch)
2008-06-11 04:40 EDT, Tomas Hoger
no flags Details | Diff
Drew Yao's proposed patch agains ruby 1.9 (401 bytes, patch)
2008-06-11 04:41 EDT, Tomas Hoger
no flags Details | Diff
Upstream patch against 1.8.6 (4.16 KB, patch)
2008-06-17 14:25 EDT, Tomas Hoger
no flags Details | Diff
Upstream patch against 1.9 (2.30 KB, patch)
2008-06-17 14:28 EDT, Tomas Hoger
no flags Details | Diff
Fixed upstream patch for 1.8.6 (4.57 KB, patch)
2008-06-21 17:52 EDT, Todd Zullinger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-06-11 04:38:05 EDT
Drew Yao of the Apple Product Security team reported an integer overflow leading
to a memory mis-allocation and heap overflow in the rb_str_buf_append() function
used by ruby interpreter for handling strings.  This can be used to crash and
possibly execute arbitrary code with the privileges of Ruby application which
use untrusted input in string operations.

Acknowledgements:

Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.
Comment 1 Tomas Hoger 2008-06-11 04:40:31 EDT
Created attachment 308901 [details]
Drew Yao's proposed patch agains ruby 1.8.5
Comment 2 Tomas Hoger 2008-06-11 04:41:06 EDT
Created attachment 308902 [details]
Drew Yao's proposed patch agains ruby 1.9
Comment 5 Tomas Hoger 2008-06-17 14:25:47 EDT
Created attachment 309653 [details]
Upstream patch against 1.8.6

Upstream patch for CVE-2008-266[234], CVE-2008-272[56] against ruby 1.8.6.
Comment 6 Tomas Hoger 2008-06-17 14:28:45 EDT
Created attachment 309654 [details]
Upstream patch against 1.9

Upstream patch for CVE-2008-2662 and CVE-2008-2726 against ruby 1.9.
Comment 8 Tomas Hoger 2008-06-20 14:52:38 EDT
Public now, lifting embargo:
http://preview.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities

Upstream released fixed versions:
1.8.5-p231, 1.8.6-p230, 1.8.7-p22, 1.9.0-2

Patches applied upstream:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17460
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17472
Comment 10 Todd Zullinger 2008-06-21 17:52:36 EDT
Created attachment 309982 [details]
Fixed upstream patch for 1.8.6

The patches previously attached suffer from missing whitespace at the beginning
of each line.  This patch for 1.8.6 is corrected.  It was generated via:

svn diff -c 17460
http://svn.ruby-lang.org/repos/ruby/branches/ruby_1_8_6/{array.c,intern.h,sprintf.c,string.c}


Hope this helps.
Comment 11 Tomas Hoger 2008-06-23 04:29:40 EDT
More public information about theses issues, along with some test cases:

http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

However, there are also multiple posts mentioning problems when upgrading to
current upstream patch levels, most notably reports of new ruby breaking Rails:

http://groups.google.com/group/pdxruby/browse_thread/thread/85e18ef452fa1c7a
http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities
http://www.ruby-forum.com/topic/157034

It does not seem to be clear from the discussions, if the problems are caused by
the security fixes or other changes since previous patch level (probably more
likely).
Comment 14 Fedora Update System 2008-06-24 22:50:48 EDT
ruby-1.8.6.230-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-06-24 22:52:13 EDT
ruby-1.8.6.230-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Tomas Hoger 2008-06-25 02:03:56 EDT
According to the additional information from Drew, the regression in upstream
release was caused by the introduction of str_buf_cat (see SVN rev 17472).

  http://www.openwall.com/lists/oss-security/2008/06/24/3

Issue can be triggered by:

  ruby -ve 'str = "A"*(2**16) ; loop{ str << str ; puts str.size }'

Problem affects updates Fedora packages:

$ ruby -ve 'str = "A"*(2**16) ; 0.upto(10) { str << str ; puts str.size }'
ruby 1.8.6 (2008-06-20 patchlevel 230) [x86_64-linux]
131072
262144
-e:1: [BUG] Segmentation fault
ruby 1.8.6 (2008-06-20) [x86_64-linux]

Aborted

While on -114:

$ ruby -ve 'str = "A"*(2**16) ; 0.upto(10) { str << str ; puts str.size }'
ruby 1.8.6 (2008-03-03 patchlevel 114) [x86_64-linux]
131072
262144
524288
1048576
2097152
4194304
8388608
16777216
33554432
67108864
134217728

Following upstream commit should resolve this issue:

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17530

Note You need to log in before you can comment on or make changes to this bug.