Bug 458948 (CVE-2008-3655) - CVE-2008-3655 ruby: multiple insufficient safe mode restrictions
Summary: CVE-2008-3655 ruby: multiple insufficient safe mode restrictions
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-3655
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 458789 (view as bug list)
Depends On: 461576 461578 461579 461580 461590 461591
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-13 13:06 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-13 15:22:10 UTC


Attachments (Terms of Use)
New testcase to reproduce the untrace_var at SAFE level 4 issue. (195 bytes, application/x-ruby)
2008-09-25 12:34 UTC, Jan Lieskovsky
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0895 normal SHIPPED_LIVE Moderate: ruby security update 2008-10-21 14:52:55 UTC
Red Hat Product Errata RHSA-2008:0896 normal SHIPPED_LIVE Moderate: ruby security update 2008-10-21 14:52:39 UTC
Red Hat Product Errata RHSA-2008:0897 normal SHIPPED_LIVE Moderate: ruby security update 2008-10-21 14:43:41 UTC

Description Jan Lieskovsky 2008-08-13 13:06:10 UTC
Description of problem:

Ruby upstream has announced multiple security vulnerabilities 
related with not proper Ruby access restriction to critical
variables and methods at various safe levels:

a, untrace_var is permitted at safe level 4.
   Affects: rhel-2.1->rhel-5.3
   Proposed patch: 
       http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17692

b, $PROGRAM_NAME may be modified at safe level 4.
   Doesn't Affect: rhel-2.1->rhel-4.8
           Affects: rhel-5.2.z, rhel-5.3
   Proposed patch: ? 
   
c, Insecure methods may be called at safe level 1-3
   Affects: rhel-2.1->rhel-5.3
   Proposed patch:    
       http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17696

d, Syslog operations are permitted at safe level 4.
   Affects: rhel-2.1->rhel-5.3
   Proposed patch: 
       http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17809


Version-Release number of selected component (if applicable):
All versions of the Ruby package as shipped with Red Hat Enterprise Linux
2.1, 3, 4 and 5.

How reproducible:
Always

Steps to Reproduce:
See reproducers.

Additional info -- public mention of this issue:

http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/

Comment 6 Jan Lieskovsky 2008-08-13 13:24:51 UTC
*** Bug 458789 has been marked as a duplicate of this bug. ***

Comment 12 Akira TAGOH 2008-09-14 08:27:40 UTC
d. doesn't affect rhel2.1 - syslog module was available since 1.6.6 and we have shipped 1.6.4 for rhel2.1. FYI.

Comment 16 Fedora Update System 2008-10-08 14:20:54 UTC
ruby-1.8.6.287-2.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/ruby-1.8.6.287-2.fc8

Comment 17 Fedora Update System 2008-10-08 14:22:54 UTC
ruby-1.8.6.287-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ruby-1.8.6.287-2.fc9

Comment 18 Fedora Update System 2008-10-09 21:29:10 UTC
ruby-1.8.6.287-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2008-10-09 21:35:01 UTC
ruby-1.8.6.287-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.