Bug 865940 (CVE-2012-4522) - CVE-2012-4522 ruby: unintentional file creation caused by inserting an illegal NUL character
Summary: CVE-2012-4522 ruby: unintentional file creation caused by inserting an illega...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-4522
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20121012,repor...
Depends On: 866567 867750 904022 988686
Blocks: 816611 865943
TreeView+ depends on / blocked
 
Reported: 2012-10-12 21:02 UTC by Vincent Danen
Modified: 2019-06-08 19:16 UTC (History)
10 users (show)

Fixed In Version: ruby 1.9.3p286
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-19 05:09:58 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0129 normal SHIPPED_LIVE Moderate: ruby security and bug fix update 2013-01-08 09:33:46 UTC
Red Hat Product Errata RHSA-2013:0582 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Enterprise 1.1.1 update 2013-03-01 00:05:18 UTC

Description Vincent Danen 2012-10-12 21:02:29 UTC
An upstream Ruby security notice [1] indicated that ruby suffered from a flaw where unintended files could be created if they contained a NUL characer in the file path or name.  Certain methods like IO#open did not check the filename passed to them, and just passed those strings to lower layer routines, which could lead to unintentional files being created, as demonstrated:

  p File.exists?("foo")      #=> false
  open("foo\0bar", "w") { |f| f.puts "hai" }
  p File.exists?("foo")      #=> true
  p File.exists?("foo\0bar") #=> raises ArgumentError

Upstream indicates that ruby 1.9.3 prior to patchlevel 286 is vulnerable.  An upstream patch is available [2].

[1] http://preview.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/
[2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37163

Comment 2 Vincent Danen 2012-10-15 15:56:35 UTC
This was assigned the name CVE-2012-4522:

http://seclists.org/oss-sec/2012/q4/72

Comment 3 Vincent Danen 2012-10-15 15:58:10 UTC
Created ruby tracking bugs for this issue

Affects: fedora-all [bug 866567]

Comment 5 Fedora Update System 2012-10-18 03:50:15 UTC
ruby-1.9.3.286-19.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Huzaifa S. Sidhpurwala 2012-10-19 07:37:13 UTC
This issue did not affect the version of ruby as shipped with Fedora-16.

This issue was fixed in Fedora-17, via the following security advisory:

https://admin.fedoraproject.org/updates/FEDORA-2012-16086/ruby-1.9.3.286-18.fc17

Comment 13 Fedora Update System 2012-10-22 01:59:23 UTC
ruby-1.9.3.286-18.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 errata-xmlrpc 2013-01-08 05:08:59 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0129 https://rhn.redhat.com/errata/RHSA-2013-0129.html

Comment 16 Huzaifa S. Sidhpurwala 2013-01-08 09:21:45 UTC
Statement:

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 6.

Comment 18 errata-xmlrpc 2013-02-28 19:08:24 UTC
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html


Note You need to log in before you can comment on or make changes to this bug.