Debian Bug report logs - #378029
ruby1.8: CVE-2006-3694, JVN#13947696, JVN#83768862: safety check bypass

version graph

Package: ruby1.8; Maintainer for ruby1.8 is akira yamada <akira@debian.org>; Source for ruby1.8 is src:ruby1.8.

Reported by: Kobayashi Noritada <nori1@dolphin.c.u-tokyo.ac.jp>

Date: Wed, 12 Jul 2006 18:04:11 UTC

Severity: grave

Tags: patch, security

Found in version ruby1.8/1.8.2-7sarge2

Fixed in versions 1.8.4-2, ruby1.8/1.8.2-7sarge4

Done: akira yamada <akira@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#378029; Package ruby1.8. Full text and rfc822 format available.

Acknowledgement sent to Kobayashi Noritada <nori1@dolphin.c.u-tokyo.ac.jp>:
New Bug report received and forwarded. Copy sent to akira yamada <akira@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kobayashi Noritada <nori1@dolphin.c.u-tokyo.ac.jp>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby1.8: Two safety vulnerabilities for Ruby: JVN#13947696 and JVN#83768862
Date: Thu, 13 Jul 2006 02:57:43 +0900
[Message part 1 (text/plain, inline)]
Package: ruby1.8
Version: 1.8.2-7sarge2
Severity: grave
Tags: security patch
Justification: user security hole


Japan Vender Status Notes (JVN) announced two vulnerabilities for Ruby.

JVN#13947696:

Some methods have defects that they can call other methods, which
really should be prohibited, in safe level 4.

* Information:
  * http://jvn.jp/jp/JVN%2313947696/index.html (in Japanese)
  * http://www.ipa.go.jp/security/vuln/documents/2006/JVN_13947696_Ruby.html (in Japanese)
* Affected versions: All versions and snapshots before Ruby 1.8.4-20060516.

JVN#83768862:

Alias features cannot handle safe levels correclty, so it can be safety
bypass.

* Information:
  * http://jvn.jp/jp/JVN%2383768862/index.html (in Japanese)
  * http://www.ipa.go.jp/security/vuln/documents/2006/JVN_13947696_Ruby.html (in Japanese)
* Affected versions: All versions and snapshots before Ruby 1.8.4-20060516.

Since currently the upstream does not plan to release patches,
I've created ones to fix them.  I wish they works, but I have no
confidence (especially for JVN#13947696) and would like to have them reviewed.

alias_safe_level.patch:
  May fix JVN#83768862, based on "eval.c (rb_call0)" part and
  "eval.c (rb_alias)" part for
  http://www.atdot.net/~ko1/w3ml/w3ml.cgi/ruby-cvs/msg/16613
  (and http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/eval.c?cvsroot=src&r1=1.616.2.166&r2=1.616.2.167 ).

avoid_modifying_untainted_objects.patch:
  May fix JVN#13947696, based on "re.c (rb_reg_initialize)" part for
  http://www.atdot.net/~ko1/w3ml/w3ml.cgi/ruby-cvs/msg/16723
  (and http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/re.c?cvsroot=src&r1=1.114.2.17&r2=1.114.2.18 ).

avoid_modifying_untainted_objects_2.patch:
  May fix JVN#13947696, based on
  http://www.atdot.net/~ko1/w3ml/w3ml.cgi/ruby-cvs/msg/16724
  (and http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/dir.c?cvsroot=src&r1=1.92.2.32&r2=1.92.2.33 ).


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-3-686
Locale: LANG=ja_JP.eucJP, LC_CTYPE=ja_JP.eucJP (charmap=EUC-JP)

Versions of packages ruby1.8 depends on:
ii  libc6                 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an
ii  libruby1.8            1.8.2-7sarge2      Libraries necessary to run Ruby 1.

-- no debconf information
[alias_safe_level.patch (text/plain, attachment)]
[avoid_modifying_untainted_objects.patch (text/x-c, attachment)]
[avoid_modifying_untainted_objects_2.patch (text/x-c, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#378029; Package ruby1.8. Full text and rfc822 format available.

Acknowledgement sent to Kobayashi Noritada <nori1@dolphin.c.u-tokyo.ac.jp>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. Full text and rfc822 format available.

Message #10 received at 378029@bugs.debian.org (full text, mbox):

From: Kobayashi Noritada <nori1@dolphin.c.u-tokyo.ac.jp>
To: 378029@bugs.debian.org
Subject: Re: ruby1.8: Two safety vulnerabilities for Ruby: JVN#13947696 and JVN#83768862
Date: Thu, 20 Jul 2006 10:18:39 +0900 (JST)
Now this vulnerability is available in CVE.
CVE-2006-3694 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3694 )

Thanks,



Changed Bug title. Request was from Alec Berryman <alec@thened.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#378029; Package ruby1.8. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. Full text and rfc822 format available.

Message #17 received at 378029@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 378029@bugs.debian.org
Subject: Sid status
Date: Wed, 26 Jul 2006 12:18:14 +0200
[Message part 1 (text/plain, inline)]
Hi!

These vulnerabilities have already been fixed in 1.8.4-2 in sid.
Akira, can you please retroactively add the CVE number to that
changelog in your next upload? This will ease tracking.

Thanks,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Bug marked as fixed in version 1.8.4-2, send any further explanations to Kobayashi Noritada <nori1@dolphin.c.u-tokyo.ac.jp> Request was from Junichi Uekawa <dancer@netfort.gr.jp> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to akira yamada <akira@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Kobayashi Noritada <nori1@dolphin.c.u-tokyo.ac.jp>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #24 received at 378029-close@bugs.debian.org (full text, mbox):

From: akira yamada <akira@debian.org>
To: 378029-close@bugs.debian.org
Subject: Bug#378029: fixed in ruby1.8 1.8.2-7sarge4
Date: Sat, 28 Oct 2006 08:27:13 -0700
Source: ruby1.8
Source-Version: 1.8.2-7sarge4

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:

irb1.8_1.8.2-7sarge4_all.deb
  to pool/main/r/ruby1.8/irb1.8_1.8.2-7sarge4_all.deb
libdbm-ruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_i386.deb
libgdbm-ruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_i386.deb
libopenssl-ruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_i386.deb
libreadline-ruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_i386.deb
libruby1.8-dbg_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_i386.deb
libruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_i386.deb
libtcltk-ruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_i386.deb
rdoc1.8_1.8.2-7sarge4_all.deb
  to pool/main/r/ruby1.8/rdoc1.8_1.8.2-7sarge4_all.deb
ri1.8_1.8.2-7sarge4_all.deb
  to pool/main/r/ruby1.8/ri1.8_1.8.2-7sarge4_all.deb
ruby1.8-dev_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_i386.deb
ruby1.8-elisp_1.8.2-7sarge4_all.deb
  to pool/main/r/ruby1.8/ruby1.8-elisp_1.8.2-7sarge4_all.deb
ruby1.8-examples_1.8.2-7sarge4_all.deb
  to pool/main/r/ruby1.8/ruby1.8-examples_1.8.2-7sarge4_all.deb
ruby1.8_1.8.2-7sarge4.diff.gz
  to pool/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4.diff.gz
ruby1.8_1.8.2-7sarge4.dsc
  to pool/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4.dsc
ruby1.8_1.8.2-7sarge4_i386.deb
  to pool/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 378029@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
akira yamada <akira@debian.org> (supplier of updated ruby1.8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 13 Jul 2006 19:36:58 +0900
Source: ruby1.8
Binary: libtcltk-ruby1.8 libruby1.8-dbg rdoc1.8 libgdbm-ruby1.8 ruby1.8-dev ruby1.8-elisp ruby1.8-examples libdbm-ruby1.8 irb1.8 ruby1.8 libreadline-ruby1.8 libopenssl-ruby1.8 libruby1.8 ri1.8
Architecture: source i386 all
Version: 1.8.2-7sarge4
Distribution: stable-security
Urgency: high
Maintainer: akira yamada <akira@debian.org>
Changed-By: akira yamada <akira@debian.org>
Description: 
 irb1.8     - Interactive Ruby (for Ruby 1.8)
 libdbm-ruby1.8 - DBM interface for Ruby 1.8
 libgdbm-ruby1.8 - GDBM interface for Ruby 1.8
 libopenssl-ruby1.8 - OpenSSL interface for Ruby 1.8
 libreadline-ruby1.8 - Readline interface for Ruby 1.8
 libruby1.8 - Libraries necessary to run Ruby 1.8
 libruby1.8-dbg - Debugging libraries for Ruby 1.8
 libtcltk-ruby1.8 - Tcl/Tk interface for Ruby 1.8
 rdoc1.8    - Generate documentation from Ruby source files (for Ruby 1.8)
 ri1.8      - Ruby Interactive reference (for Ruby 1.8)
 ruby1.8    - Interpreter of object-oriented scripting language Ruby 1.8
 ruby1.8-dev - Header files for compiling extension modules for the Ruby 1.8
 ruby1.8-elisp - ruby-mode for Emacsen
 ruby1.8-examples - Examples for Ruby 1.8
Closes: 378029
Changes: 
 ruby1.8 (1.8.2-7sarge4) stable-security; urgency=high
 .
   * akira yamada <akira@debian.org>
   - added debian/patches/903_JVN-83768862.patch and
     debian/patches/904_JVN-13947696.patch from Kobayashi Noritada
     (closes: #378029):
       - JVN#83768862: Alias features cannot handle safe levels correclty, so
         it can be safety bypass.
       - JVN#13947696: Some methods have defects that they can call other
         methods, which really should be prohibited, in safe level 4.
Files: 
 0f42db3f568c8a28797041bc76742a7b 1024 interpreters optional ruby1.8_1.8.2-7sarge4.dsc
 da280b20362a19963108500d237c3a8f 535830 interpreters optional ruby1.8_1.8.2-7sarge4.diff.gz
 3beddf1ae51a2725f8bf1877da2a4dba 151532 interpreters optional ruby1.8_1.8.2-7sarge4_i386.deb
 b16401fe0f1c0c5a0394434895d03bce 1349876 libs optional libruby1.8_1.8.2-7sarge4_i386.deb
 225bcd1dccde74c40d9cb481651eeb52 758398 libdevel extra libruby1.8-dbg_1.8.2-7sarge4_i386.deb
 1c8f2def939b021de558de46e6b716ac 622656 devel optional ruby1.8-dev_1.8.2-7sarge4_i386.deb
 9a562d9d0e760290d518c70fb43b1d03 134974 interpreters optional libdbm-ruby1.8_1.8.2-7sarge4_i386.deb
 189c3922b12e4edad0f4f295cf9ef20c 136230 interpreters optional libgdbm-ruby1.8_1.8.2-7sarge4_i386.deb
 7f4440175d0bfabf3cbb9d0fbf1e77fe 131962 interpreters optional libreadline-ruby1.8_1.8.2-7sarge4_i386.deb
 a558caaed9f6b83b7308e3d7e7577db8 1440060 interpreters optional libtcltk-ruby1.8_1.8.2-7sarge4_i386.deb
 ec8a78d370769c1c64be9f4469637db1 224910 interpreters optional libopenssl-ruby1.8_1.8.2-7sarge4_i386.deb
 603b6d3361826f30226b7b8b1f2a9c93 216598 interpreters optional ruby1.8-examples_1.8.2-7sarge4_all.deb
 dc06a6a0d4ae14b04ea3b21b92e66997 142548 interpreters optional ruby1.8-elisp_1.8.2-7sarge4_all.deb
 094e28cb85bcf7804cd7eeb84cff6e1f 704702 interpreters optional ri1.8_1.8.2-7sarge4_all.deb
 f40e4c9ddff692869af976134de0704a 234400 doc optional rdoc1.8_1.8.2-7sarge4_all.deb
 c82c13c986fda2d4e64c72cf3e368ca6 166472 interpreters optional irb1.8_1.8.2-7sarge4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE7MVvXm3vHE4uyloRAtsHAKDjom0g+8SpjxGpq2S8zztOKDraNQCgkf0M
3//ehxAqHZDrSv4RrDgeaqk=
=Q0Cy
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 01:39:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 15:35:53 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.