BugTraq
CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage / Public Service Announcement Feb 22 2013 06:00AM
Kurt Seifried (kseifried redhat com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a relatively minor issue, hence no embargo.

Michael Scherer (mscherer (at) redhat (dot) com [email concealed]) of Red Hat found:

Looking for incorrect /tmp/ usage, I found the following piece of code
in /usr/share/gems/gems/ruby_parser-2.0.4/lib/gauntlet_rubyparser.rb
(https://rubygems.org/gems/ruby_parser)

def diff_pp o1, o2
require 'pp'

File.open("/tmp/a.#{$$}", "w") do |f|
PP.pp o1, f
end

File.open("/tmp/b.#{$$}", "w") do |f|
PP.pp o2, f
end

`diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
ensure
File.unlink "/tmp/a.#{$$}" rescue nil
File.unlink "/tmp/b.#{$$}" rescue nil
end

This was assigned CVE-2013-0162. The current version of ruby_parser is
3.1.1 and is affected. Fixing this is simple:

diff --git a/lib/gauntlet_rubyparser.rb b/lib/gauntlet_rubyparser.rb
index 4463c38..85137f9 100755
- --- a/lib/gauntlet_rubyparser.rb
+++ b/lib/gauntlet_rubyparser.rb
@@ -35,18 +35,19 @@ class RubyParserGauntlet < Gauntlet
def diff_pp o1, o2
require 'pp'

- - File.open("/tmp/a.#{$$}", "w") do |f|
- - PP.pp o1, f
- - end
+ file_a = Tempfile.new('ruby_parser_a')
+ PP.pp o1, file_a
+ file_a.close
+
+ file_b = Tempfile.new('ruby_parser_b')
+ PP.pp o2, file_b
+ file_b.close

- - File.open("/tmp/b.#{$$}", "w") do |f|
- - PP.pp o2, f
- - end

- - `diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
+ `diff -u #{file_a.path} #{file_b.path}`
ensure
- - File.unlink "/tmp/a.#{$$}" rescue nil
- - File.unlink "/tmp/b.#{$$}" rescue nil
+ file_a.unlink
+ file_b.unlink
end

CC'ing the 3 people listed on ruby_parser as "owners".

Also I will be auditing a number of rubygems for various easy things,
as a reminder tmp file vulns are EASY to fix, just use the functions
listed in:

http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

===============================
Public Service Announcement
===============================

For public issues please start CC'ing oss-security@ (especially if it
needs a CVE), and also rubysec (at) googlegroups (dot) com [email concealed] which will notify the
Ruby Security people (and then cool things like their tools will warn
users of outdated/insecure versions and so on).

For private/embargoed issues the rubygems.org/community is considering
some ways to make it easier to report security issues in gems, we'll
keep you posted.

- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRJwmQAAoJEBYNRVNeJnmTtiUQALQ80GH11AWQS+YmGKA6Yhk/
dZ65MdEDAHvyAJ/LewY/URShpEJmwtxOIu2rzlniKwzPSpNZtz15u/jUeNA94ez+
1glzGc5pYF19yL6E/aUf181ZzIhJaI2h9iWNjElui2+l/vkZKuEoygu6fB1CqxUv
d2ykR13dRP+IMj7BLBduLO8WztQ7maOncI9eIv6JgvgysRfffPqbhrUHQyvsow8q
fRSa52cMVvM+4Y6Zc4UvjWlEZwBC8DFt4UlJsa0OoY+UMjqqiKwWIK4/OjgPtd43
ID5CxtjT6x2ANPNLE9UJXoJPKgjvgbghN5wbdOthA8N3jM1s1tbvXDhvKl8zA90d
Eymjelo2iGhHiuQNaAsNqRmab1UlJDcy2UuiIg9IMH7qSMd5l6gosWMHpx4gM39c
moUdNucdpEX0Y33VNMhmjQEhFWy93uGALeHmQZeAAjO+k2/San78nF8luaHyUTXL
qba5VNHdBsWfL0ttHv1XhkWlWT/osRtgQLutLngr9h0nXDGqSJ0RvFOtAsGpvhCh
SfQMAHWPu6GUjhNG+7MedQX/P7kWfDy4qvdDu9kUN++EVcjtK4IOxXBx9KAF8Hj4
//xobZYswtp3zOFzVy5kWqLa5NyqNKye8ZAuqIpDGYfBlR/T5jGM8cMqqRtYyKkE
trGaadlo3zHW1K0Rplea
=FAr9
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus