Your message dated Sat, 06 Oct 2012 20:48:16 +0000
with message-id <e1tkbig-0000hk...@franck.debian.org>
and subject line Bug#689075: fixed in ruby1.9.1 1.9.3.194-2
has caused the Debian Bug report #689075,
regarding CVE-2011-1005: safe level bypass
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
689075: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689075
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ruby1.9.1
Version: 1.9.3.194-1
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch
Dear Maintainer,
While running some regression tests I discovered that 1.9.3.194-1 is
vulnerable to CVE-2011-1005, despite the Ruby advisory stating
otherwise:
http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
You can use the reproducer in the advisory for verification. Just do a
'puts $secret_path' rather than the 'open($secret_path)' block.
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: Safe level bypass
- debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string
taint in exception handling methods. Based on upstream patch.
- CVE-2011-1005
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers quantal-updates
APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500,
'quantal')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.5.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch
--- ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch 1969-12-31 16:00:00.000000000 -0800
+++ ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch 2012-09-28 00:09:06.000000000 -0700
@@ -0,0 +1,60 @@
+Description: Prevent untainted strings from being incorrectly tainted
+ This flaw allowed untainted strings to be tainted and modified, even in
+ safe level 4.
+Origin: backport, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?revision=30903&view=revision
+Index: ruby1.9.1-1.9.3.194/error.c
+===================================================================
+--- ruby1.9.1-1.9.3.194.orig/error.c 2012-02-25 04:32:19.000000000 -0800
++++ ruby1.9.1-1.9.3.194/error.c 2012-09-26 10:10:15.164576749 -0700
+@@ -569,7 +569,6 @@
+
+ if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
+ r = rb_String(mesg);
+- OBJ_INFECT(r, exc);
+ return r;
+ }
+
+@@ -854,10 +853,9 @@
+ if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
+ StringValue(str);
+ if (str != mesg) {
+- rb_iv_set(exc, "mesg", mesg = str);
++ OBJ_INFECT(str, mesg);
+ }
+- OBJ_INFECT(mesg, exc);
+- return mesg;
++ return str;
+ }
+
+ /*
+Index: ruby1.9.1-1.9.3.194/test/ruby/test_exception.rb
+===================================================================
+--- ruby1.9.1-1.9.3.194.orig/test/ruby/test_exception.rb 2012-02-07 16:44:05.000000000 -0800
++++ ruby1.9.1-1.9.3.194/test/ruby/test_exception.rb 2012-09-26 10:10:15.164576749 -0700
+@@ -333,4 +333,26 @@
+ load(t.path)
+ end
+ end
++
++ def test_to_s_taintness_propagation
++ for exc in [Exception, NameError]
++ m = "abcdefg"
++ e = exc.new(m)
++ e.taint
++ s = e.to_s
++ assert_equal(false, m.tainted?,
++ "#{exc}#to_s should not propagate taintness")
++ assert_equal(false, s.tainted?,
++ "#{exc}#to_s should not propagate taintness")
++ end
++
++ o = Object.new
++ def o.to_str
++ "foo"
++ end
++ o.taint
++ e = NameError.new(o)
++ s = e.to_s
++ assert_equal(true, s.tainted?)
++ end
+ end
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series
--- ruby1.9.1-1.9.3.194/debian/patches/series 2012-05-27 15:46:34.000000000 -0700
+++ ruby1.9.1-1.9.3.194/debian/patches/series 2012-09-28 00:32:14.000000000 -0700
@@ -16,3 +16,4 @@
110829-hurd_dirent_usage.patch
hurd-path-max.diff
20120517-r35434.patch
+20120927-cve_2011_1005.patch
--- End Message ---
--- Begin Message ---
Source: ruby1.9.1
Source-Version: 1.9.3.194-2
We believe that the bug you reported is fixed in the latest version of
ruby1.9.1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 689...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <terce...@debian.org> (supplier of updated ruby1.9.1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 06 Oct 2012 16:29:42 -0300
Source: ruby1.9.1
Binary: ruby1.9.1 libruby1.9.1 libruby1.9.1-dbg ruby1.9.1-dev
libtcltk-ruby1.9.1 ruby1.9.1-examples ri1.9.1 ruby1.9.1-full ruby1.9.3
Architecture: source all amd64
Version: 1.9.3.194-2
Distribution: unstable
Urgency: low
Maintainer: akira yamada <ak...@debian.org>
Changed-By: Antonio Terceiro <terce...@debian.org>
Description:
libruby1.9.1 - Libraries necessary to run Ruby 1.9.1
libruby1.9.1-dbg - Debugging symbols for Ruby 1.9.1
libtcltk-ruby1.9.1 - Tcl/Tk interface for Ruby 1.9.1
ri1.9.1 - Ruby Interactive reference (for Ruby 1.9.1)
ruby1.9.1 - Interpreter of object-oriented scripting language Ruby
ruby1.9.1-dev - Header files for compiling extension modules for the Ruby 1.9.1
ruby1.9.1-examples - Examples for Ruby 1.9
ruby1.9.1-full - Ruby 1.9.1 full installation
ruby1.9.3 - Interpreter of object-oriented scripting language Ruby, version 1
Closes: 689075
Changes:
ruby1.9.1 (1.9.3.194-2) unstable; urgency=low
.
* debian/patches/20120927-cve_2011_1005.patch: patch sent by upstream;
fixes CVE-2011-1005 which was thought of as not affecting the Ruby 1.9.x
series (Closes: #689075). Thanks to Tyler Hicks <tyhi...@canonical.com>
for reporting the issue.
Checksums-Sha1:
bda416e28099faebbf0a4e230d9e95e3d02dbc7b 1994 ruby1.9.1_1.9.3.194-2.dsc
b3049a7af3237dc120939f5fb8fc33b054a77c75 51739
ruby1.9.1_1.9.3.194-2.debian.tar.gz
e113406f5973332ae2d2ea4dfd5143b1ecc6ac2d 232642
ruby1.9.1-examples_1.9.3.194-2_all.deb
12c828abe3eca87956fe92d69850c31bb716fe99 2172290 ri1.9.1_1.9.3.194-2_all.deb
f358b59b1f6815d64c703b87e7704dca29e7bcc5 170698
ruby1.9.1-full_1.9.3.194-2_all.deb
09d84c46f44fe6a47bcf0b1b3d53438c1c218f50 171276 ruby1.9.3_1.9.3.194-2_all.deb
a9fdbfa3de2be17c3aa82722be749eda6f72e092 207610 ruby1.9.1_1.9.3.194-2_amd64.deb
480e61f147ccbb023bdaa4adf5c7cab8250e348a 4414144
libruby1.9.1_1.9.3.194-2_amd64.deb
c9fbd28b396aaf01eb97f8de39ee6abcfaa886c8 4561694
libruby1.9.1-dbg_1.9.3.194-2_amd64.deb
d4c5744286e285a59f7079ec85ac52af96c88bf0 1383058
ruby1.9.1-dev_1.9.3.194-2_amd64.deb
0a0ed836c77dd9c9fd3878befcd2c39f375bc250 1958884
libtcltk-ruby1.9.1_1.9.3.194-2_amd64.deb
Checksums-Sha256:
7d46865ac5ad30d163ae9df20ab77071ee57bb8aae391c697d4afd476556d511 1994
ruby1.9.1_1.9.3.194-2.dsc
63b49afa4869f78bdf5ead82b5558b99b9c80527d2a749c17d9d8232820cc46d 51739
ruby1.9.1_1.9.3.194-2.debian.tar.gz
1e7ff06eeff9fbce9123c8be72bed819882dad775e1fa2f2fb49e319e93744ec 232642
ruby1.9.1-examples_1.9.3.194-2_all.deb
83105bf4ed33ee2e1ad8d598fb5a1454700336b65853d2e9d7805bf26a6bb449 2172290
ri1.9.1_1.9.3.194-2_all.deb
ad4b45153308935746a75fc8100e8f14f884111f64b366cae0b8c46b4d0bc1a1 170698
ruby1.9.1-full_1.9.3.194-2_all.deb
498d82d8a41863cc0cf4789bb060b145971031046ad71446ad8cc3586accbb91 171276
ruby1.9.3_1.9.3.194-2_all.deb
e84e1c29a99d31e9746b7d29bfc55174b6d43d0f20c5dd9ed89871f0a039f806 207610
ruby1.9.1_1.9.3.194-2_amd64.deb
0c33bf73fd24ebe11dd3f83a9d5c57106a14d650196157855613e2ba6fa7a7e9 4414144
libruby1.9.1_1.9.3.194-2_amd64.deb
864a0a4ecf221329a339791320d2bbeb7e5c27c6c124a300a47617262e2f0567 4561694
libruby1.9.1-dbg_1.9.3.194-2_amd64.deb
9596fec9aad9b725f2a5aa380dc74521caad08280a982973f386377484a79815 1383058
ruby1.9.1-dev_1.9.3.194-2_amd64.deb
41d13f013c876f2eab699abae9668ec92452fe2e55f635097907e84a181d7794 1958884
libtcltk-ruby1.9.1_1.9.3.194-2_amd64.deb
Files:
6a2c7258d4c1c5fc5e597f04aeac58e6 1994 ruby optional ruby1.9.1_1.9.3.194-2.dsc
36da5d509ec2d8fb51b9cc4bcc01605d 51739 ruby optional
ruby1.9.1_1.9.3.194-2.debian.tar.gz
62b121492c6ff69a0fc5d94f765a80df 232642 ruby optional
ruby1.9.1-examples_1.9.3.194-2_all.deb
3d52cc22d802f742db3eff114a8f5366 2172290 ruby optional
ri1.9.1_1.9.3.194-2_all.deb
c6ad310537ae396bb47420fe2185ea47 170698 ruby optional
ruby1.9.1-full_1.9.3.194-2_all.deb
151b4a728fe89569b01ce538b295c4bb 171276 ruby optional
ruby1.9.3_1.9.3.194-2_all.deb
95c2a54ca7e3ccb2669147bfa5a4937b 207610 ruby optional
ruby1.9.1_1.9.3.194-2_amd64.deb
cb80c58ec3d676ba709586b7153f3a56 4414144 libs optional
libruby1.9.1_1.9.3.194-2_amd64.deb
a39fac161f9828fb494f5984760616ef 4561694 debug extra
libruby1.9.1-dbg_1.9.3.194-2_amd64.deb
a863f29048803be5234e637476adc9d0 1383058 ruby optional
ruby1.9.1-dev_1.9.3.194-2_amd64.deb
28a3a53ed23da09f92f6c6bf4297369e 1958884 ruby optional
libtcltk-ruby1.9.1_1.9.3.194-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlBwkJAACgkQDOM8kQ+cso9U6gCfXP6ZYoXE7RxQq1Joex8f+2Cn
tcIAni9jGims6oaUHX98qIwYR8nZ99sV
=0odx
-----END PGP SIGNATURE-----
--- End Message ---
