Bug 458948 - (CVE-2008-3655) CVE-2008-3655 ruby: multiple insufficient safe mode restrictions
CVE-2008-3655 ruby: multiple insufficient safe mode restrictions
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
reported=20080808,public=20080808,sou...
: Security
: 458789 (view as bug list)
Depends On: 461576 461578 461579 461580 461590 461591
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-13 09:06 EDT by Jan Lieskovsky
Modified: 2011-10-27 09:33 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-13 10:22:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
New testcase to reproduce the untrace_var at SAFE level 4 issue. (195 bytes, application/x-ruby)
2008-09-25 08:34 EDT, Jan Lieskovsky
no flags Details

  None (edit)
Description Jan Lieskovsky 2008-08-13 09:06:10 EDT
Description of problem:

Ruby upstream has announced multiple security vulnerabilities 
related with not proper Ruby access restriction to critical
variables and methods at various safe levels:

a, untrace_var is permitted at safe level 4.
   Affects: rhel-2.1->rhel-5.3
   Proposed patch: 
       http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17692

b, $PROGRAM_NAME may be modified at safe level 4.
   Doesn't Affect: rhel-2.1->rhel-4.8
           Affects: rhel-5.2.z, rhel-5.3
   Proposed patch: ? 
   
c, Insecure methods may be called at safe level 1-3
   Affects: rhel-2.1->rhel-5.3
   Proposed patch:    
       http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17696

d, Syslog operations are permitted at safe level 4.
   Affects: rhel-2.1->rhel-5.3
   Proposed patch: 
       http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17809


Version-Release number of selected component (if applicable):
All versions of the Ruby package as shipped with Red Hat Enterprise Linux
2.1, 3, 4 and 5.

How reproducible:
Always

Steps to Reproduce:
See reproducers.

Additional info -- public mention of this issue:

http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
Comment 6 Jan Lieskovsky 2008-08-13 09:24:51 EDT
*** Bug 458789 has been marked as a duplicate of this bug. ***
Comment 12 Akira TAGOH 2008-09-14 04:27:40 EDT
d. doesn't affect rhel2.1 - syslog module was available since 1.6.6 and we have shipped 1.6.4 for rhel2.1. FYI.
Comment 16 Fedora Update System 2008-10-08 10:20:54 EDT
ruby-1.8.6.287-2.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/ruby-1.8.6.287-2.fc8
Comment 17 Fedora Update System 2008-10-08 10:22:54 EDT
ruby-1.8.6.287-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ruby-1.8.6.287-2.fc9
Comment 18 Fedora Update System 2008-10-09 17:29:10 EDT
ruby-1.8.6.287-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2008-10-09 17:35:01 EDT
ruby-1.8.6.287-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.