This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 892221 - rubygem-ruby_parser: Incorrect usage of file in /tmp/ ( /usr/share/gems/gems/ruby_parser-2.0.4/lib/gauntlet_rubyparser.rb ) [fedora-all]
rubygem-ruby_parser: Incorrect usage of file in /tmp/ ( /usr/share/gems/gems/...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: rubygem-ruby_parser (Show other bugs)
20
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Mo Morsi
Fedora Extras Quality Assurance
, fst_ping=1
: Security, SecurityTracking
Depends On:
Blocks: CVE-2013-0162
  Show dependency treegraph
 
Reported: 2013-01-05 18:57 EST by Michael Scherer
Modified: 2015-06-15 13:02 EDT (History)
3 users (show)

See Also:
Fixed In Version: rubygem-ruby_parser-3.6.1-1.fc21
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-06-15 13:02:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
tentative patch to fix the issue (1.20 KB, patch)
2013-01-07 17:56 EST, Michael Scherer
no flags Details | Diff

  None (edit)
Description Michael Scherer 2013-01-05 18:57:42 EST
Looking for incorrect /tmp/ usage, I found the following piece of code in /usr/share/gems/gems/ruby_parser-2.0.4/lib/gauntlet_rubyparser.rb

  def diff_pp o1, o2
    require 'pp'

    File.open("/tmp/a.#{$$}", "w") do |f|
      PP.pp o1, f
    end

    File.open("/tmp/b.#{$$}", "w") do |f|
      PP.pp o2, f
    end

    `diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
  ensure
    File.unlink "/tmp/a.#{$$}" rescue nil
    File.unlink "/tmp/b.#{$$}" rescue nil
  end

Basically, if someone create a link from /tmp/a.1234, this could result in either a denial of service ( if the file cannot be written due to wrong permissions ), or into a file injection ( if someone use a symlink to another file, like ~/.ssh/authorized_keys, and do not have restriction on this using yama on kernel 3.6 ).

For security team, this is shipped as part of the cloudforms channel for RHEL on RHN, but I am not sure if that function is used, and I think it is not. 

The package is used on epel 5, 6 and all versions of Fedora.

No CVE have been asked for now, and upstream was not yet notified yet. And this issue is still secret so far.
Comment 1 Michael Scherer 2013-01-05 19:01:36 EST
In fact, this package is likely requested by all of our software that use rails ( aeolus, foreman, openshift origin ), so more than 1 channel may need to be updated ( I hope this is automatic )

$ repoquery --whatrequires 'rubygem(ruby_parser)'
rubygem-haml-0:3.1.6-1.fc18.noarch
rubygem-ruby2ruby-0:1.2.4-7.fc18.noarch

$ repoquery --whatrequires 'rubygem(ruby2ruby)'  
rubygem-thor-0:0.14.6-6.fc18.noarch

$ repoquery --whatrequires 'rubygem(thor)'     
rubygem-bundler-0:1.1.4-2.fc18.noarch
rubygem-jquery-rails-0:2.0.2-1.fc18.noarch
rubygem-railties-0:3.2.8-1.fc18.noarch

$ repoquery --whatrequires 'rubygem(bundler)'
rubygem-appraisal-0:0.5.1-1.fc18.noarch
rubygem-rails-1:3.2.8-1.fc18.noarch

$ repoquery --whatrequires 'rubygem(rails)'  
aeolus-conductor-0:0.10.6-2.fc18.noarch
openshift-origin-broker-0:0.6.17-3.fc18.noarch
rubygem-apipie-rails-0:0.0.13-2.fc18.noarch
rubygem-cucumber-rails-0:1.3.0-1.fc18.noarch
rubygem-declarative_authorization-0:0.5.6-1.fc18.noarch
rubygem-gettext_i18n_rails-0:0.6.6-1.fc18.noarch
rubygem-rails_warden-0:0.5.7-1.fc18.noarch
Comment 2 Vincent Danen 2013-01-07 16:53:17 EST
Michael, thanks for this.  Did you intend on informing upstream of this issue?
Comment 3 Michael Scherer 2013-01-07 17:14:12 EST
I plan to send a patch once I have time ( likely in 1 or 2 days, depend on the number of people in the train tomorrow morning ). 

Should I ask upstream for a embargo, or the issue is mundane enough to not require it ? 

( I think that's minor enough but maybe we want to first prepare package and then announce it ? )
Comment 4 Michael Scherer 2013-01-07 17:56:30 EST
Created attachment 674402 [details]
tentative patch to fix the issue

I created a patch, but the tests are failling on git head :

1226 tests, 5615 assertions, 446 failures, 3 errors, 0 skips
rake aborted!

however, my patch do not add new failures. But I am not sure this part is tested.
So that's without guarantee. I will contact upstream tomorrow morning

And looking at Fedora, we do not have gauntlet ( https://github.com/seattlerb/gauntlet ), and the faulty code is in a plugin for this module. So I am pretty sure the code path is not widely used ( so no urgency ).
Comment 5 Michael Scherer 2013-01-12 14:14:18 EST
Upstream have been notified by mail, along with the patch.
Comment 6 Vincent Danen 2013-04-03 22:01:12 EDT
This still needs to be corrected in Fedora, does it not?
Comment 7 Fedora End Of Life 2013-12-21 10:16:38 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 8 Michael Scherer 2013-12-22 07:36:18 EST
Still valid.
Comment 9 Vít Ondruch 2014-07-14 08:20:37 EDT
This was fixed by ruby_parser 3.1.2

https://github.com/seattlerb/ruby_parser/commit/506c7e13cff6f8715385fa8488b621028b4ad280

The entire file was later removed in ruby_parser 3.4.0 by

https://github.com/seattlerb/ruby_parser/commit/50d20b9915cd93a3abfe16901828deb289d8d6b0

Since this is going to be fixed in F21 now, I change the version back to F20
Comment 10 Eric Christensen 2014-10-27 10:20:52 EDT
Sorry, removed wrong CC.
Comment 11 pjp 2015-04-09 13:31:57 EDT
Hello mmorsi@redhat.com,

You plan to fix this soon?
Comment 12 Fedora End Of Life 2015-05-29 04:50:36 EDT
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 13 Mo Morsi 2015-06-15 13:02:35 EDT
Hey pjp sorry for the belated response on this one. Since this is fixed in F21+ and F20 is EOL I'm going to close this as won't fix. If anyone needs this let me know.

Note You need to log in before you can comment on or make changes to this bug.