Debian Bug report logs - #689075
CVE-2011-1005: safe level bypass

version graph

Package: ruby1.9.1; Maintainer for ruby1.9.1 is Antonio Terceiro <terceiro@debian.org>; Source for ruby1.9.1 is src:ruby1.9.1.

Reported by: Tyler Hicks <tyhicks@canonical.com>

Date: Fri, 28 Sep 2012 22:06:02 UTC

Severity: grave

Tags: patch, security

Found in version ruby1.9.1/1.9.3.194-1

Fixed in version ruby1.9.1/1.9.3.194-2

Done: Antonio Terceiro <terceiro@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, akira yamada <akira@debian.org>:
Bug#689075; Package ruby1.9.1. (Fri, 28 Sep 2012 22:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tyler Hicks <tyhicks@canonical.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, akira yamada <akira@debian.org>. (Fri, 28 Sep 2012 22:06:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Tyler Hicks <tyhicks@canonical.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2011-1005: safe level bypass
Date: Fri, 28 Sep 2012 15:03:05 -0700
[Message part 1 (text/plain, inline)]
Package: ruby1.9.1
Version: 1.9.3.194-1
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

Dear Maintainer,

While running some regression tests I discovered that 1.9.3.194-1 is
vulnerable to CVE-2011-1005, despite the Ruby advisory stating
otherwise:

http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/

You can use the reproducer in the advisory for verification. Just do a
'puts $secret_path' rather than the 'open($secret_path)' block.

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: Safe level bypass
    - debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string
      taint in exception handling methods. Based on upstream patch.
    - CVE-2011-1005


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers quantal-updates
  APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[ruby1.9.1_1.9.3.194-1ubuntu1.debdiff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#689075; Package ruby1.9.1. (Sun, 30 Sep 2012 20:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antonio Terceiro <terceiro@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Sun, 30 Sep 2012 20:54:02 GMT) Full text and rfc822 format available.

Message #10 received at 689075@bugs.debian.org (full text, mbox):

From: Antonio Terceiro <terceiro@debian.org>
To: Tyler Hicks <tyhicks@canonical.com>, 689075@bugs.debian.org
Subject: Re: Bug#689075: CVE-2011-1005: safe level bypass
Date: Sun, 30 Sep 2012 17:47:30 -0300
[Message part 1 (text/plain, inline)]
tag 689075 + pending
thanks

Hello Tyler,

Tyler Hicks escreveu:
> Package: ruby1.9.1
> Version: 1.9.3.194-1
> Severity: grave
> Tags: patch security
> Justification: user security hole
> User: ubuntu-devel@lists.ubuntu.com
> Usertags: origin-ubuntu quantal ubuntu-patch
> 
> Dear Maintainer,
> 
> While running some regression tests I discovered that 1.9.3.194-1 is
> vulnerable to CVE-2011-1005, despite the Ruby advisory stating
> otherwise:
> 
> http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
> 
> You can use the reproducer in the advisory for verification. Just do a
> 'puts $secret_path' rather than the 'open($secret_path)' block.
> 
> In Ubuntu, the attached patch was applied to achieve the following:
> 
>   * SECURITY UPDATE: Safe level bypass
>     - debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string
>       taint in exception handling methods. Based on upstream patch.
>     - CVE-2011-1005

Thanks for submitting this. Did you notify upstream of the fact that the
1.9 series is actually affected by this issue?

-- 
Antonio Terceiro <terceiro@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#689075; Package ruby1.9.1. (Mon, 01 Oct 2012 18:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tyler Hicks <tyhicks@canonical.com>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Mon, 01 Oct 2012 18:09:05 GMT) Full text and rfc822 format available.

Message #15 received at 689075@bugs.debian.org (full text, mbox):

From: Tyler Hicks <tyhicks@canonical.com>
To: Antonio Terceiro <terceiro@debian.org>
Cc: 689075@bugs.debian.org
Subject: Re: Bug#689075: CVE-2011-1005: safe level bypass
Date: Mon, 1 Oct 2012 11:04:30 -0700
[Message part 1 (text/plain, inline)]
On 2012-09-30 17:47:30, Antonio Terceiro wrote:
> Thanks for submitting this. Did you notify upstream of the fact that the
> 1.9 series is actually affected by this issue?

Yes, right after I filed this bug. After speaking with upstream, they
will be applying a slightly different fix. You probably want to wait
until their fix is public. I'll be sure to update this bug when they've
applied the fix upstream.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#689075; Package ruby1.9.1. (Wed, 03 Oct 2012 08:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tyler Hicks <tyhicks@canonical.com>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Wed, 03 Oct 2012 08:33:03 GMT) Full text and rfc822 format available.

Message #20 received at 689075@bugs.debian.org (full text, mbox):

From: Tyler Hicks <tyhicks@canonical.com>
To: Antonio Terceiro <terceiro@debian.org>
Cc: 689075@bugs.debian.org
Subject: Re: Bug#689075: CVE-2011-1005: safe level bypass
Date: Wed, 3 Oct 2012 01:29:52 -0700
[Message part 1 (text/plain, inline)]
On 2012-10-01 11:04:30, Tyler Hicks wrote:
> I'll be sure to update this bug when they've applied the fix upstream.

Ok, the fix is public:

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068

It ended up being more complicated than I initially thought. The
vulnerability described in CVE-2011-1005 was reintroduced into the Ruby
codebase in 1.9.3-p0.

When upstream was developing their fix they found a new, but similar,
issue that goes back to ruby1.8. My request for new CVE ids and a
slightly more detailed explanation can be found here:

http://www.openwall.com/lists/oss-security/2012/10/02/4

Tyler
[signature.asc (application/pgp-signature, inline)]

Reply sent to Antonio Terceiro <terceiro@debian.org>:
You have taken responsibility. (Sat, 06 Oct 2012 20:51:06 GMT) Full text and rfc822 format available.

Notification sent to Tyler Hicks <tyhicks@canonical.com>:
Bug acknowledged by developer. (Sat, 06 Oct 2012 20:51:06 GMT) Full text and rfc822 format available.

Message #25 received at 689075-close@bugs.debian.org (full text, mbox):

From: Antonio Terceiro <terceiro@debian.org>
To: 689075-close@bugs.debian.org
Subject: Bug#689075: fixed in ruby1.9.1 1.9.3.194-2
Date: Sat, 06 Oct 2012 20:48:16 +0000
Source: ruby1.9.1
Source-Version: 1.9.3.194-2

We believe that the bug you reported is fixed in the latest version of
ruby1.9.1, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 689075@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated ruby1.9.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 06 Oct 2012 16:29:42 -0300
Source: ruby1.9.1
Binary: ruby1.9.1 libruby1.9.1 libruby1.9.1-dbg ruby1.9.1-dev libtcltk-ruby1.9.1 ruby1.9.1-examples ri1.9.1 ruby1.9.1-full ruby1.9.3
Architecture: source all amd64
Version: 1.9.3.194-2
Distribution: unstable
Urgency: low
Maintainer: akira yamada <akira@debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description: 
 libruby1.9.1 - Libraries necessary to run Ruby 1.9.1
 libruby1.9.1-dbg - Debugging symbols for Ruby 1.9.1
 libtcltk-ruby1.9.1 - Tcl/Tk interface for Ruby 1.9.1
 ri1.9.1    - Ruby Interactive reference (for Ruby 1.9.1)
 ruby1.9.1  - Interpreter of object-oriented scripting language Ruby
 ruby1.9.1-dev - Header files for compiling extension modules for the Ruby 1.9.1
 ruby1.9.1-examples - Examples for Ruby 1.9
 ruby1.9.1-full - Ruby 1.9.1 full installation
 ruby1.9.3  - Interpreter of object-oriented scripting language Ruby, version 1
Closes: 689075
Changes: 
 ruby1.9.1 (1.9.3.194-2) unstable; urgency=low
 .
   * debian/patches/20120927-cve_2011_1005.patch: patch sent by upstream;
     fixes CVE-2011-1005 which was thought of as not affecting the Ruby 1.9.x
     series (Closes: #689075). Thanks to Tyler Hicks <tyhicks@canonical.com>
     for reporting the issue.
Checksums-Sha1: 
 bda416e28099faebbf0a4e230d9e95e3d02dbc7b 1994 ruby1.9.1_1.9.3.194-2.dsc
 b3049a7af3237dc120939f5fb8fc33b054a77c75 51739 ruby1.9.1_1.9.3.194-2.debian.tar.gz
 e113406f5973332ae2d2ea4dfd5143b1ecc6ac2d 232642 ruby1.9.1-examples_1.9.3.194-2_all.deb
 12c828abe3eca87956fe92d69850c31bb716fe99 2172290 ri1.9.1_1.9.3.194-2_all.deb
 f358b59b1f6815d64c703b87e7704dca29e7bcc5 170698 ruby1.9.1-full_1.9.3.194-2_all.deb
 09d84c46f44fe6a47bcf0b1b3d53438c1c218f50 171276 ruby1.9.3_1.9.3.194-2_all.deb
 a9fdbfa3de2be17c3aa82722be749eda6f72e092 207610 ruby1.9.1_1.9.3.194-2_amd64.deb
 480e61f147ccbb023bdaa4adf5c7cab8250e348a 4414144 libruby1.9.1_1.9.3.194-2_amd64.deb
 c9fbd28b396aaf01eb97f8de39ee6abcfaa886c8 4561694 libruby1.9.1-dbg_1.9.3.194-2_amd64.deb
 d4c5744286e285a59f7079ec85ac52af96c88bf0 1383058 ruby1.9.1-dev_1.9.3.194-2_amd64.deb
 0a0ed836c77dd9c9fd3878befcd2c39f375bc250 1958884 libtcltk-ruby1.9.1_1.9.3.194-2_amd64.deb
Checksums-Sha256: 
 7d46865ac5ad30d163ae9df20ab77071ee57bb8aae391c697d4afd476556d511 1994 ruby1.9.1_1.9.3.194-2.dsc
 63b49afa4869f78bdf5ead82b5558b99b9c80527d2a749c17d9d8232820cc46d 51739 ruby1.9.1_1.9.3.194-2.debian.tar.gz
 1e7ff06eeff9fbce9123c8be72bed819882dad775e1fa2f2fb49e319e93744ec 232642 ruby1.9.1-examples_1.9.3.194-2_all.deb
 83105bf4ed33ee2e1ad8d598fb5a1454700336b65853d2e9d7805bf26a6bb449 2172290 ri1.9.1_1.9.3.194-2_all.deb
 ad4b45153308935746a75fc8100e8f14f884111f64b366cae0b8c46b4d0bc1a1 170698 ruby1.9.1-full_1.9.3.194-2_all.deb
 498d82d8a41863cc0cf4789bb060b145971031046ad71446ad8cc3586accbb91 171276 ruby1.9.3_1.9.3.194-2_all.deb
 e84e1c29a99d31e9746b7d29bfc55174b6d43d0f20c5dd9ed89871f0a039f806 207610 ruby1.9.1_1.9.3.194-2_amd64.deb
 0c33bf73fd24ebe11dd3f83a9d5c57106a14d650196157855613e2ba6fa7a7e9 4414144 libruby1.9.1_1.9.3.194-2_amd64.deb
 864a0a4ecf221329a339791320d2bbeb7e5c27c6c124a300a47617262e2f0567 4561694 libruby1.9.1-dbg_1.9.3.194-2_amd64.deb
 9596fec9aad9b725f2a5aa380dc74521caad08280a982973f386377484a79815 1383058 ruby1.9.1-dev_1.9.3.194-2_amd64.deb
 41d13f013c876f2eab699abae9668ec92452fe2e55f635097907e84a181d7794 1958884 libtcltk-ruby1.9.1_1.9.3.194-2_amd64.deb
Files: 
 6a2c7258d4c1c5fc5e597f04aeac58e6 1994 ruby optional ruby1.9.1_1.9.3.194-2.dsc
 36da5d509ec2d8fb51b9cc4bcc01605d 51739 ruby optional ruby1.9.1_1.9.3.194-2.debian.tar.gz
 62b121492c6ff69a0fc5d94f765a80df 232642 ruby optional ruby1.9.1-examples_1.9.3.194-2_all.deb
 3d52cc22d802f742db3eff114a8f5366 2172290 ruby optional ri1.9.1_1.9.3.194-2_all.deb
 c6ad310537ae396bb47420fe2185ea47 170698 ruby optional ruby1.9.1-full_1.9.3.194-2_all.deb
 151b4a728fe89569b01ce538b295c4bb 171276 ruby optional ruby1.9.3_1.9.3.194-2_all.deb
 95c2a54ca7e3ccb2669147bfa5a4937b 207610 ruby optional ruby1.9.1_1.9.3.194-2_amd64.deb
 cb80c58ec3d676ba709586b7153f3a56 4414144 libs optional libruby1.9.1_1.9.3.194-2_amd64.deb
 a39fac161f9828fb494f5984760616ef 4561694 debug extra libruby1.9.1-dbg_1.9.3.194-2_amd64.deb
 a863f29048803be5234e637476adc9d0 1383058 ruby optional ruby1.9.1-dev_1.9.3.194-2_amd64.deb
 28a3a53ed23da09f92f6c6bf4297369e 1958884 ruby optional libtcltk-ruby1.9.1_1.9.3.194-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBwkJAACgkQDOM8kQ+cso9U6gCfXP6ZYoXE7RxQq1Joex8f+2Cn
tcIAni9jGims6oaUHX98qIwYR8nZ99sV
=0odx
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#689075; Package ruby1.9.1. (Thu, 17 Jan 2013 15:36:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Thu, 17 Jan 2013 15:36:10 GMT) Full text and rfc822 format available.

Message #30 received at 689075@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 689075@bugs.debian.org
Subject: Re: CVE-2011-1005: safe level bypass
Date: Thu, 17 Jan 2013 11:42:06 -0000
Package: ruby1.9.1

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.7) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/689075/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 07 Feb 2014 07:35:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 13:10:24 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.