rubygem ruby_parser incorrect temporary file usage / Public Service Announcement

2013.02.22

Credit: Michael Scherer

Risk: High

Local: Yes

Remote: No

CVE: CVE-2013-0162

CWE: N/A

Ogólna skala CVSS: 2.1/10

Znaczenie: 2.9/10

Łatwość wykorzystania: 3.9/10

Wymagany dostęp: Lokalny

Złożoność ataku: Niska

Autoryzacja: Nie wymagana

Wpływ na poufność: Brak

Wpływ na integralność: Częściowy

Wpływ na dostępność: Brak

This is a relatively minor issue, hence no embargo.
Michael Scherer (mscherer () redhat com) of Red Hat found:
Looking for incorrect /tmp/ usage, I found the following piece of code
in /usr/share/gems/gems/ruby_parser-2.0.4/lib/gauntlet_rubyparser.rb
(https://rubygems.org/gems/ruby_parser)
def diff_pp o1, o2
require 'pp'
File.open("/tmp/a.#{$$}", "w") do |f|
PP.pp o1, f
end
File.open("/tmp/b.#{$$}", "w") do |f|
PP.pp o2, f
end
`diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
ensure
File.unlink "/tmp/a.#{$$}" rescue nil
File.unlink "/tmp/b.#{$$}" rescue nil
end
This was assigned CVE-2013-0162. The current version of ruby_parser is
3.1.1 and is affected. Fixing this is simple:
diff --git a/lib/gauntlet_rubyparser.rb b/lib/gauntlet_rubyparser.rb
index 4463c38..85137f9 100755
- --- a/lib/gauntlet_rubyparser.rb
+++ b/lib/gauntlet_rubyparser.rb
@@ -35,18 +35,19 @@ class RubyParserGauntlet < Gauntlet
def diff_pp o1, o2
require 'pp'
- - File.open("/tmp/a.#{$$}", "w") do |f|
- - PP.pp o1, f
- - end
+ file_a = Tempfile.new('ruby_parser_a')
+ PP.pp o1, file_a
+ file_a.close
+
+ file_b = Tempfile.new('ruby_parser_b')
+ PP.pp o2, file_b
+ file_b.close
- - File.open("/tmp/b.#{$$}", "w") do |f|
- - PP.pp o2, f
- - end
- - `diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
+ `diff -u #{file_a.path} #{file_b.path}`
ensure
- - File.unlink "/tmp/a.#{$$}" rescue nil
- - File.unlink "/tmp/b.#{$$}" rescue nil
+ file_a.unlink
+ file_b.unlink
end
CC'ing the 3 people listed on ruby_parser as "owners".
Also I will be auditing a number of rubygems for various easy things,
as a reminder tmp file vulns are EASY to fix, just use the functions
listed in:
http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/
===============================
Public Service Announcement
===============================
For public issues please start CC'ing oss-security@ (especially if it
needs a CVE), and also rubysec () googlegroups com which will notify the
Ruby Security people (and then cool things like their tools will warn
users of outdated/insecure versions and so on).
For private/embargoed issues the rubygems.org/community is considering
some ways to make it easier to report security issues in gems, we'll
keep you posted.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Referencje:

http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

rubygem ruby_parser incorrect temporary file usage / Public Service Announcement

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.