Drew Yao of the Apple Product Security team reported an integer overflow leading to a memory mis-allocation and heap overflow in the rb_str_buf_append() function used by ruby interpreter for handling strings. This can be used to crash and possibly execute arbitrary code with the privileges of Ruby application which use untrusted input in string operations. Acknowledgements: Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.
Created attachment 308901 [details] Drew Yao's proposed patch agains ruby 1.8.5
Created attachment 308902 [details] Drew Yao's proposed patch agains ruby 1.9
Created attachment 309653 [details] Upstream patch against 1.8.6 Upstream patch for CVE-2008-266[234], CVE-2008-272[56] against ruby 1.8.6.
Created attachment 309654 [details] Upstream patch against 1.9 Upstream patch for CVE-2008-2662 and CVE-2008-2726 against ruby 1.9.
Public now, lifting embargo: http://preview.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities Upstream released fixed versions: 1.8.5-p231, 1.8.6-p230, 1.8.7-p22, 1.9.0-2 Patches applied upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17460 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17472
Created attachment 309982 [details] Fixed upstream patch for 1.8.6 The patches previously attached suffer from missing whitespace at the beginning of each line. This patch for 1.8.6 is corrected. It was generated via: svn diff -c 17460 http://svn.ruby-lang.org/repos/ruby/branches/ruby_1_8_6/{array.c,intern.h,sprintf.c,string.c} Hope this helps.
More public information about theses issues, along with some test cases: http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/ http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html However, there are also multiple posts mentioning problems when upgrading to current upstream patch levels, most notably reports of new ruby breaking Rails: http://groups.google.com/group/pdxruby/browse_thread/thread/85e18ef452fa1c7a http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities http://www.ruby-forum.com/topic/157034 It does not seem to be clear from the discussions, if the problems are caused by the security fixes or other changes since previous patch level (probably more likely).
ruby-1.8.6.230-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
ruby-1.8.6.230-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
According to the additional information from Drew, the regression in upstream release was caused by the introduction of str_buf_cat (see SVN rev 17472). http://www.openwall.com/lists/oss-security/2008/06/24/3 Issue can be triggered by: ruby -ve 'str = "A"*(2**16) ; loop{ str << str ; puts str.size }' Problem affects updates Fedora packages: $ ruby -ve 'str = "A"*(2**16) ; 0.upto(10) { str << str ; puts str.size }' ruby 1.8.6 (2008-06-20 patchlevel 230) [x86_64-linux] 131072 262144 -e:1: [BUG] Segmentation fault ruby 1.8.6 (2008-06-20) [x86_64-linux] Aborted While on -114: $ ruby -ve 'str = "A"*(2**16) ; 0.upto(10) { str << str ; puts str.size }' ruby 1.8.6 (2008-03-03 patchlevel 114) [x86_64-linux] 131072 262144 524288 1048576 2097152 4194304 8388608 16777216 33554432 67108864 134217728 Following upstream commit should resolve this issue: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17530
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0561.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5649 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5664