Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 458744 (CVE-2013-0162) - <dev-ruby/ruby_parser-3.1.2: incorrect temporary file usage (CVE-2013-0162)
Summary: <dev-ruby/ruby_parser-3.1.2: incorrect temporary file usage (CVE-2013-0162)
Status: RESOLVED FIXED
Alias: CVE-2013-0162
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-22 14:00 UTC by Agostino Sarubbo
Modified: 2015-05-31 20:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-22 14:00:51 UTC
From ${URL} :

This is a relatively minor issue, hence no embargo.

Michael Scherer (mscherer@...hat.com) of Red Hat found:

Looking for incorrect /tmp/ usage, I found the following piece of code
in /usr/share/gems/gems/ruby_parser-2.0.4/lib/gauntlet_rubyparser.rb
(https://rubygems.org/gems/ruby_parser)

  def diff_pp o1, o2
    require 'pp'

    File.open("/tmp/a.#{$$}", "w") do |f|
      PP.pp o1, f
    end

    File.open("/tmp/b.#{$$}", "w") do |f|
      PP.pp o2, f
    end

    `diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
  ensure
    File.unlink "/tmp/a.#{$$}" rescue nil
    File.unlink "/tmp/b.#{$$}" rescue nil
  end

This was assigned CVE-2013-0162. The current version of ruby_parser is
3.1.1 and is affected. Fixing this is simple:

diff --git a/lib/gauntlet_rubyparser.rb b/lib/gauntlet_rubyparser.rb
index 4463c38..85137f9 100755
- --- a/lib/gauntlet_rubyparser.rb
+++ b/lib/gauntlet_rubyparser.rb
@@ -35,18 +35,19 @@ class RubyParserGauntlet < Gauntlet
   def diff_pp o1, o2
     require 'pp'

- -    File.open("/tmp/a.#{$$}", "w") do |f|
- -      PP.pp o1, f
- -    end
+    file_a = Tempfile.new('ruby_parser_a')
+    PP.pp o1, file_a
+    file_a.close
+
+    file_b = Tempfile.new('ruby_parser_b')
+    PP.pp o2, file_b
+    file_b.close

- -    File.open("/tmp/b.#{$$}", "w") do |f|
- -      PP.pp o2, f
- -    end

- -    `diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
+    `diff -u #{file_a.path} #{file_b.path}`
   ensure
- -    File.unlink "/tmp/a.#{$$}" rescue nil
- -    File.unlink "/tmp/b.#{$$}" rescue nil
+    file_a.unlink
+    file_b.unlink
   end
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:11:28 UTC
CVE-2013-0162 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0162):
  The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem
  3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files
  via a symlink attack on a temporary file with a predictable name in /tmp.
Comment 2 Hans de Graaff gentoo-dev Security 2015-02-03 06:39:17 UTC
dev-ruby/ruby_parser-2.3.1-r1 is now masked for removal. No other affected versions are left.
Comment 3 Manuel Rüger (RETIRED) gentoo-dev 2015-05-31 20:30:02 UTC
Vulnerable versions have been removed. 

Security, please vote.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-31 20:36:29 UTC
GLSA Vote: No
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-05-31 20:38:09 UTC
GLSA vote: no.

Closed as [noglsa].