Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 469984 (CVE-2013-2065)

Summary: <dev-lang/ruby-1.9.3_p429 : DL and Fiddle Tained Object Handling Vulnerability (CVE-2013-2065)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/53432/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-05-15 18:36:39 UTC 
From ${URL} :

Description
A vulnerability has been reported in Ruby, which can be exploited by malicious people to bypass 
certain security restrictions.

The vulnerability is caused due to the DL and Fiddle modules not properly verifying the $SAFE level 
when handling certain objects and can be exploited to pass tainted strings to system calls.

The vulnerability is reported in the following versions:
* All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 426
* All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 195


Solution
Update to version 1.9.3 patchlevel 426 or 2.0.0 patchlevel 195.

Provided and/or discovered by
The vendor credits Vit Ondruch.

Original Advisory
http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev Security 2013-05-16 07:19:30 UTC 
I've just added ruby 1.9.3 p492. Given that there are also other bug fixes and changes, I would suggest to hold off stabilization for a few days to see if any issues surface.
Comment 2 Hans de Graaff gentoo-dev Security 2013-05-19 07:19:22 UTC 
I haven't seen any regressions, so let's go ahead and mark this version stable.

=dev-lang/ruby-1.9.3_p429
Comment 3 Agostino Sarubbo gentoo-dev 2013-05-19 13:34:18 UTC 
Arches, please test and mark stable:                                                                       
=dev-lang/ruby-1.9.3_p429                                                                                  
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2013-05-19 14:09:07 UTC 
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2013-05-19 15:06:38 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-05-19 15:07:54 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-05-20 12:49:12 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-05-20 17:20:17 UTC 
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-05-25 07:59:09 UTC 
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-05-25 14:28:28 UTC 
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-05-25 20:26:29 UTC 
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-05-25 20:47:24 UTC 
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-05-26 06:42:25 UTC 
s390 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-06-09 15:59:11 UTC 
sh stable
Comment 15 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 04:05:14 UTC 
GLSA vote: no.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 20:43:41 UTC 
CVE-2013-2065 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2065):
  (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0
  before 2.0.0 patchlevel 195, do not perform taint checking for native
  functions, which allows context-dependent attackers to bypass intended $SAFE
  level restrictions.
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-01 21:29:46 UTC 
GLSA vote: no. 

Closing as [noglsa]