rubygem ruby_parser incorrect temporary file usage / Public Service Announcement

2013.02.22
Risk: High
Local: Yes
Remote: No
CWE: N/A


Ogólna skala CVSS: 2.1/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 3.9/10
Wymagany dostęp: Lokalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

This is a relatively minor issue, hence no embargo. Michael Scherer (mscherer () redhat com) of Red Hat found: Looking for incorrect /tmp/ usage, I found the following piece of code in /usr/share/gems/gems/ruby_parser-2.0.4/lib/gauntlet_rubyparser.rb (https://rubygems.org/gems/ruby_parser) def diff_pp o1, o2 require 'pp' File.open("/tmp/a.#{$$}", "w") do |f| PP.pp o1, f end File.open("/tmp/b.#{$$}", "w") do |f| PP.pp o2, f end `diff -u /tmp/a.#{$$} /tmp/b.#{$$}` ensure File.unlink "/tmp/a.#{$$}" rescue nil File.unlink "/tmp/b.#{$$}" rescue nil end This was assigned CVE-2013-0162. The current version of ruby_parser is 3.1.1 and is affected. Fixing this is simple: diff --git a/lib/gauntlet_rubyparser.rb b/lib/gauntlet_rubyparser.rb index 4463c38..85137f9 100755 - --- a/lib/gauntlet_rubyparser.rb +++ b/lib/gauntlet_rubyparser.rb @@ -35,18 +35,19 @@ class RubyParserGauntlet < Gauntlet def diff_pp o1, o2 require 'pp' - - File.open("/tmp/a.#{$$}", "w") do |f| - - PP.pp o1, f - - end + file_a = Tempfile.new('ruby_parser_a') + PP.pp o1, file_a + file_a.close + + file_b = Tempfile.new('ruby_parser_b') + PP.pp o2, file_b + file_b.close - - File.open("/tmp/b.#{$$}", "w") do |f| - - PP.pp o2, f - - end - - `diff -u /tmp/a.#{$$} /tmp/b.#{$$}` + `diff -u #{file_a.path} #{file_b.path}` ensure - - File.unlink "/tmp/a.#{$$}" rescue nil - - File.unlink "/tmp/b.#{$$}" rescue nil + file_a.unlink + file_b.unlink end CC'ing the 3 people listed on ruby_parser as "owners". Also I will be auditing a number of rubygems for various easy things, as a reminder tmp file vulns are EASY to fix, just use the functions listed in: http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/ =============================== Public Service Announcement =============================== For public issues please start CC'ing oss-security@ (especially if it needs a CVE), and also rubysec () googlegroups com which will notify the Ruby Security people (and then cool things like their tools will warn users of outdated/insecure versions and so on). For private/embargoed issues the rubygems.org/community is considering some ways to make it easier to report security issues in gems, we'll keep you posted. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Referencje:

http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top