SecurityvulnsSECURITYVULNS:DOC:29094CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage / Public Service Announcement
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is a relatively minor issue, hence no embargo.
Michael Scherer ([email protected]) of Red Hat found:
Looking for incorrect /tmp/ usage, I found the following piece of code
in /usr/share/gems/gems/ruby_parser-2.0.4/lib/gauntlet_rubyparser.rb
(https://rubygems.org/gems/ruby_parser)
def diff_pp o1, o2
require 'pp'
File.open("/tmp/a.#{$$}", "w") do |f|
PP.pp o1, f
end
File.open("/tmp/b.#{$$}", "w") do |f|
PP.pp o2, f
end
`diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
ensure
File.unlink "/tmp/a.#{$$}" rescue nil
File.unlink "/tmp/b.#{$$}" rescue nil
end
This was assigned CVE-2013-0162. The current version of ruby_parser is
3.1.1 and is affected. Fixing this is simple:
diff --git a/lib/gauntlet_rubyparser.rb b/lib/gauntlet_rubyparser.rb
index 4463c38โฆ85137f9 100755
-
โ a/lib/gauntlet_rubyparser.rb
+++ b/lib/gauntlet_rubyparser.rb
@@ -35,18 +35,19 @@ class RubyParserGauntlet < Gauntlet
def diff_pp o1, o2
require 'pp' -
- File.open("/tmp/a.#{$$}", "w") do |f|
-
-
PP.pp o1, f
-
-
- end
- file_a = Tempfile.new('ruby_parser_a')
- PP.pp o1, file_a
- file_a.close
- file_b = Tempfile.new('ruby_parser_b')
- PP.pp o2, file_b
- file_b.close
-
- File.open("/tmp/b.#{$$}", "w") do |f|
-
-
PP.pp o2, f
-
-
- end
-
- `diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
- `diff -u #{file_a.path} #{file_b.path}`
ensure
-
- File.unlink "/tmp/a.#{$$}" rescue nil
-
- File.unlink "/tmp/b.#{$$}" rescue nil
- file_a.unlink
- file_b.unlink
end
CC'ing the 3 people listed on ruby_parser as "owners".
Also I will be auditing a number of rubygems for various easy things,
as a reminder tmp file vulns are EASY to fix, just use the functions
listed in:
http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/
===============================
Public Service Announcement
For public issues please start CC'ing oss-security@ (especially if it
needs a CVE), and also [email protected] which will notify the
Ruby Security people (and then cool things like their tools will warn
users of outdated/insecure versions and so on).
For private/embargoed issues the rubygems.org/community is considering
some ways to make it easier to report security issues in gems, we'll
keep you posted.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQIcBAEBAgAGBQJRJwmQAAoJEBYNRVNeJnmTtiUQALQ80GH11AWQS+YmGKA6Yhk/
dZ65MdEDAHvyAJ/LewY/URShpEJmwtxOIu2rzlniKwzPSpNZtz15u/jUeNA94ez+
1glzGc5pYF19yL6E/aUf181ZzIhJaI2h9iWNjElui2+l/vkZKuEoygu6fB1CqxUv
d2ykR13dRP+IMj7BLBduLO8WztQ7maOncI9eIv6JgvgysRfffPqbhrUHQyvsow8q
fRSa52cMVvM+4Y6Zc4UvjWlEZwBC8DFt4UlJsa0OoY+UMjqqiKwWIK4/OjgPtd43
ID5CxtjT6x2ANPNLE9UJXoJPKgjvgbghN5wbdOthA8N3jM1s1tbvXDhvKl8zA90d
Eymjelo2iGhHiuQNaAsNqRmab1UlJDcy2UuiIg9IMH7qSMd5l6gosWMHpx4gM39c
moUdNucdpEX0Y33VNMhmjQEhFWy93uGALeHmQZeAAjO+k2/San78nF8luaHyUTXL
qba5VNHdBsWfL0ttHv1XhkWlWT/osRtgQLutLngr9h0nXDGqSJ0RvFOtAsGpvhCh
SfQMAHWPu6GUjhNG+7MedQX/P7kWfDy4qvdDu9kUN++EVcjtK4IOxXBx9KAF8Hj4
//xobZYswtp3zOFzVy5kWqLa5NyqNKye8ZAuqIpDGYfBlR/T5jGM8cMqqRtYyKkE
trGaadlo3zHW1K0Rplea
=FAr9
-----END PGP SIGNATURE-----
Related
