rubygem ruby_parser incorrect temporary file usage / Public Service Announcement

2013.02.22

Credit: Michael Scherer

Risk: High

Local: Yes

Remote: No

CVE: CVE-2013-0162

CWE: N/A

CVSS Base Score: 2.1/10

Impact Subscore: 2.9/10

Exploitability Subscore: 3.9/10

Exploit range: Local

Attack complexity: Low

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

This is a relatively minor issue, hence no embargo.

Michael Scherer (mscherer () redhat com) of Red Hat found:

Looking for incorrect /tmp/ usage, I found the following piece of code
in /usr/share/gems/gems/ruby_parser-2.0.4/lib/gauntlet_rubyparser.rb
(https://rubygems.org/gems/ruby_parser)

  def diff_pp o1, o2
    require 'pp'

    File.open("/tmp/a.#{$$}", "w") do |f|
      PP.pp o1, f
    end

    File.open("/tmp/b.#{$$}", "w") do |f|
      PP.pp o2, f
    end

    `diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
  ensure
    File.unlink "/tmp/a.#{$$}" rescue nil
    File.unlink "/tmp/b.#{$$}" rescue nil
  end

This was assigned CVE-2013-0162. The current version of ruby_parser is
3.1.1 and is affected. Fixing this is simple:

diff --git a/lib/gauntlet_rubyparser.rb b/lib/gauntlet_rubyparser.rb
index 4463c38..85137f9 100755
- --- a/lib/gauntlet_rubyparser.rb
+++ b/lib/gauntlet_rubyparser.rb
@@ -35,18 +35,19 @@ class RubyParserGauntlet < Gauntlet
   def diff_pp o1, o2
     require 'pp'

- -    File.open("/tmp/a.#{$$}", "w") do |f|
- -      PP.pp o1, f
- -    end
+    file_a = Tempfile.new('ruby_parser_a')
+    PP.pp o1, file_a
+    file_a.close
+
+    file_b = Tempfile.new('ruby_parser_b')
+    PP.pp o2, file_b
+    file_b.close

- -    File.open("/tmp/b.#{$$}", "w") do |f|
- -      PP.pp o2, f
- -    end

- -    `diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
+    `diff -u #{file_a.path} #{file_b.path}`
   ensure
- -    File.unlink "/tmp/a.#{$$}" rescue nil
- -    File.unlink "/tmp/b.#{$$}" rescue nil
+    file_a.unlink
+    file_b.unlink
   end

CC'ing the 3 people listed on ruby_parser as "owners".

Also I will be auditing a number of rubygems for various easy things,
as a reminder tmp file vulns are EASY to fix, just use the functions
listed in:

http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

===============================
Public Service Announcement
===============================

For public issues please start CC'ing oss-security@ (especially if it
needs a CVE), and also rubysec () googlegroups com which will notify the
Ruby Security people (and then cool things like their tools will warn
users of outdated/insecure versions and so on).

For private/embargoed issues the rubygems.org/community is considering
some ways to make it easier to report security issues in gems, we'll
keep you posted.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

References:

http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

rubygem ruby_parser incorrect temporary file usage / Public Service Announcement

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.