mailing list archives
Re: CVE Request: Ruby safe level bypasses
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 03 Oct 2012 14:41:17 -0600
-----BEGIN PGP SIGNED MESSAGE-----
On 10/03/2012 02:30 PM, Tyler Hicks wrote:
On 2012-10-03 13:48:14, Kurt Seifried wrote:
On 10/02/2012 04:32 PM, Tyler Hicks wrote:
Hello - Upstream Ruby has fixed exception methods that
incorrectly allowed safe level bypasses. These bypasses
allowed untainted strings to be modified by untrusted code in
safe level 4.
Note that the changes to exc_to_s() and name_err_to_s(), in
error.c, are similar to the fix for CVE-2011-1005, but the
Ruby advisory made it clear that Ruby 1.9.x was not affected
by CVE-2011-1005. It turns out that the vulnerability was
later reintroduced to Ruby's trunk in revision 29456. Ruby
1.9.3-p0 and later is affected.
While Shugo Maeda was fixing the issue above, he noticed that
name_err_mesg_to_str() had a similar flaw. Ruby 1.8.x, along
with 1.9.3-p0 and later is affected.
I believe that these issues need two separate CVEs. Both
issues are fixed in the same upstream patch. Could you
please allocate ids?
Please use CVE-2012-4464 for this issue.
Hi Kurt - I think that two CVE ids are needed here.
All issues are fixed in the same upstream patch but some issues in
that patch affect different versions. I'll use the notation from
"CVE Abstraction Content Decisions: Rationale and Application" to
describe how I see it:
S1: The vulnerability found in exc_to_s() S2: The vulnerability
found in name_err_to_s() S3: The vulnerability found in
S1, S2 and S3 are the same type of bug. S1 and S2 appear in the
same versions (1.9.3-p0 and newer), so MERGE them. S3 appears in
1.8.x, as well as 1.9.3-p0 and newer, so SPLIT it from S1 and S2.
And this is why I should probably be more aggressive about asking for
commits to be broken out by software version if multiple versions are
Ok let's continue to use CVE-2012-4464 for the exc_to_s() and
name_err_to_s() issues which affect 1.9.3-p0 and newer.
For name_err_mesg_to_str() which affects both 1.9.3-p0 and newer and
1.8.x please use CVE-2012-4466.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----