From ${URL} : This is a relatively minor issue, hence no embargo. Michael Scherer (mscherer@...hat.com) of Red Hat found: Looking for incorrect /tmp/ usage, I found the following piece of code in /usr/share/gems/gems/ruby_parser-2.0.4/lib/gauntlet_rubyparser.rb (https://rubygems.org/gems/ruby_parser) def diff_pp o1, o2 require 'pp' File.open("/tmp/a.#{$$}", "w") do |f| PP.pp o1, f end File.open("/tmp/b.#{$$}", "w") do |f| PP.pp o2, f end `diff -u /tmp/a.#{$$} /tmp/b.#{$$}` ensure File.unlink "/tmp/a.#{$$}" rescue nil File.unlink "/tmp/b.#{$$}" rescue nil end This was assigned CVE-2013-0162. The current version of ruby_parser is 3.1.1 and is affected. Fixing this is simple: diff --git a/lib/gauntlet_rubyparser.rb b/lib/gauntlet_rubyparser.rb index 4463c38..85137f9 100755 - --- a/lib/gauntlet_rubyparser.rb +++ b/lib/gauntlet_rubyparser.rb @@ -35,18 +35,19 @@ class RubyParserGauntlet < Gauntlet def diff_pp o1, o2 require 'pp' - - File.open("/tmp/a.#{$$}", "w") do |f| - - PP.pp o1, f - - end + file_a = Tempfile.new('ruby_parser_a') + PP.pp o1, file_a + file_a.close + + file_b = Tempfile.new('ruby_parser_b') + PP.pp o2, file_b + file_b.close - - File.open("/tmp/b.#{$$}", "w") do |f| - - PP.pp o2, f - - end - - `diff -u /tmp/a.#{$$} /tmp/b.#{$$}` + `diff -u #{file_a.path} #{file_b.path}` ensure - - File.unlink "/tmp/a.#{$$}" rescue nil - - File.unlink "/tmp/b.#{$$}" rescue nil + file_a.unlink + file_b.unlink end
CVE-2013-0162 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0162): The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.
dev-ruby/ruby_parser-2.3.1-r1 is now masked for removal. No other affected versions are left.
Vulnerable versions have been removed. Security, please vote.
GLSA Vote: No
GLSA vote: no. Closed as [noglsa].