Ruby Parser version 2.0.4 insecurely creates files in /tmp that can allow for a denial of service condition.
094657d654b5045e05adb6d836d052776e6708bb9e26629a4ff9504e67047580-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is a relatively minor issue, hence no embargo.
Michael Scherer (mscherer@redhat.com) of Red Hat found:
Looking for incorrect /tmp/ usage, I found the following piece of code
in /usr/share/gems/gems/ruby_parser-2.0.4/lib/gauntlet_rubyparser.rb
(https://rubygems.org/gems/ruby_parser)
def diff_pp o1, o2
require 'pp'
File.open("/tmp/a.#{$$}", "w") do |f|
PP.pp o1, f
end
File.open("/tmp/b.#{$$}", "w") do |f|
PP.pp o2, f
end
`diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
ensure
File.unlink "/tmp/a.#{$$}" rescue nil
File.unlink "/tmp/b.#{$$}" rescue nil
end
This was assigned CVE-2013-0162. The current version of ruby_parser is
3.1.1 and is affected. Fixing this is simple:
diff --git a/lib/gauntlet_rubyparser.rb b/lib/gauntlet_rubyparser.rb
index 4463c38..85137f9 100755
- --- a/lib/gauntlet_rubyparser.rb
+++ b/lib/gauntlet_rubyparser.rb
@@ -35,18 +35,19 @@ class RubyParserGauntlet < Gauntlet
def diff_pp o1, o2
require 'pp'
- - File.open("/tmp/a.#{$$}", "w") do |f|
- - PP.pp o1, f
- - end
+ file_a = Tempfile.new('ruby_parser_a')
+ PP.pp o1, file_a
+ file_a.close
+
+ file_b = Tempfile.new('ruby_parser_b')
+ PP.pp o2, file_b
+ file_b.close
- - File.open("/tmp/b.#{$$}", "w") do |f|
- - PP.pp o2, f
- - end
- - `diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
+ `diff -u #{file_a.path} #{file_b.path}`
ensure
- - File.unlink "/tmp/a.#{$$}" rescue nil
- - File.unlink "/tmp/b.#{$$}" rescue nil
+ file_a.unlink
+ file_b.unlink
end
CC'ing the 3 people listed on ruby_parser as "owners".
Also I will be auditing a number of rubygems for various easy things,
as a reminder tmp file vulns are EASY to fix, just use the functions
listed in:
http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/
===============================
Public Service Announcement
===============================
For public issues please start CC'ing oss-security@ (especially if it
needs a CVE), and also rubysec@googlegroups.com which will notify the
Ruby Security people (and then cool things like their tools will warn
users of outdated/insecure versions and so on).
For private/embargoed issues the rubygems.org/community is considering
some ways to make it easier to report security issues in gems, we'll
keep you posted.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQIcBAEBAgAGBQJRJwmQAAoJEBYNRVNeJnmTtiUQALQ80GH11AWQS+YmGKA6Yhk/
dZ65MdEDAHvyAJ/LewY/URShpEJmwtxOIu2rzlniKwzPSpNZtz15u/jUeNA94ez+
1glzGc5pYF19yL6E/aUf181ZzIhJaI2h9iWNjElui2+l/vkZKuEoygu6fB1CqxUv
d2ykR13dRP+IMj7BLBduLO8WztQ7maOncI9eIv6JgvgysRfffPqbhrUHQyvsow8q
fRSa52cMVvM+4Y6Zc4UvjWlEZwBC8DFt4UlJsa0OoY+UMjqqiKwWIK4/OjgPtd43
ID5CxtjT6x2ANPNLE9UJXoJPKgjvgbghN5wbdOthA8N3jM1s1tbvXDhvKl8zA90d
Eymjelo2iGhHiuQNaAsNqRmab1UlJDcy2UuiIg9IMH7qSMd5l6gosWMHpx4gM39c
moUdNucdpEX0Y33VNMhmjQEhFWy93uGALeHmQZeAAjO+k2/San78nF8luaHyUTXL
qba5VNHdBsWfL0ttHv1XhkWlWT/osRtgQLutLngr9h0nXDGqSJ0RvFOtAsGpvhCh
SfQMAHWPu6GUjhNG+7MedQX/P7kWfDy4qvdDu9kUN++EVcjtK4IOxXBx9KAF8Hj4
//xobZYswtp3zOFzVy5kWqLa5NyqNKye8ZAuqIpDGYfBlR/T5jGM8cMqqRtYyKkE
trGaadlo3zHW1K0Rplea
=FAr9
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed