LWN.net Logo

Advertisement

Writers Wanted

Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Security

Ruby security flaws expose release process problems

By Jake Edge
July 2, 2008

Some serious integer overflows in the Ruby language were recently discovered and fixed, but the process has left some in the community unhappy about how it was done. One of the biggest problems was that the official patched versions of the language broke its signature application: Rails. The overflows may lead to arbitrary code execution which left some users in a quandary, trying to decide whether to close known holes in the language or to keep their web applications running.

There still seems to be some question about whether the holes are exploitable or not, but one thing is abundantly clear: they were fixed in the public CVS several days before any kind of security announcement was made. It was made worse by referring to the CVE numbers in the commit message. For anyone looking for a possibly exploitable Ruby flaw—one that had yet to be publicly announced—that would be a glaringly obvious place to start.

When a release and announcement went out, some of the versions specified would cause Rails, the web application framework, to segfault. No new updates have been posted to the Ruby language web site leaving distributions and users to fill in the gap. Some frantic scrambling can be seen on a thread on the ruby-talk mailing list as folks with production Rails applications cast about for solutions.

Part of the problem may stem from the number of separate language versions the Ruby team is trying to support. Three stable versions (1.8.5, 1.8.6, and 1.8.7) as well as one development version (1.9.0) are all affected by these vulnerabilities. Unfortunately, all four of the updated packages had one or more problems that either didn't fix all of the vulnerabilities or broke Rails. Those are still the versions suggested as a fix as of this writing.

The new versions were based on the latest code in the CVS tree which evidently had not been tested completely. There are several test suites available for Ruby and Rails that would have caught these problems, but they apparently were not run. It is certainly important to get security fixes out quickly, but introducing other vulnerabilities and/or incompatibilities with existing code is a rather high price to pay. As is waiting ten (and counting...) days for a proper fix from upstream.

For the most part, Linux distributions have resolved the problem for themselves by either backporting the fixes into the version they already support or by fixing the updated version provided. For example, Fedora 9 has done three separate releases to fully resolve the problem, the first to upgrade to the suggested upstream version (1.8.6p230), a second to resolve a segfault introduced somewhere between p114 and p230, and a third to handle the problem of Rails being broken.

There is some indication that the Ruby team does not consider the flaws to be exploitable for code execution but, if so, they are still clearly denial-of-service vulnerabilities. The continued silence, at least on the official website, should also give one pause. The release process for Ruby seems to have fairly serious holes in it. This has caused some to issue a plea for a release process on the ruby-core mailing list.

In addition, Dominique Brezinski claims that these bugs or some that were closely related were disclosed several years ago (see comment 43) and essentially ignored at that time. This is disconcerting for a language that is being increasingly used in web applications and other internet-facing services. One can only hope that this incident will serve as a wake up call to the Ruby developers. Failing that, if additional incidents like this occur, it may instead serve as a wake up call for those who depend on Ruby.

Comments (3 posted)

Security news

The web browser "insecurity iceberg"

Stefan Frei and company have posted the results of a lengthy survey on web browser security, looking, in particular, at how many users were running versions without known vulnerabilities. "[W]e discovered that at most 83.3% of Firefox users, 65.3% of Safari users, 56.1% of Opera users, and 47.6% of Internet Explorer users were using the latest most secure browser version on any day between January 2007 to June 2008... Despite the single-click integrated auto-update functionality of Firefox, rather surprisingly, 16.7% Firefox users (one out of six) continue to surf the Web with an outdated version of the Web browser." But the real problem, they say, is with insecure plugins.

Comments (26 posted)

New vulnerabilities

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2806 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2810 CVE-2008-2811
Created:July 2, 2008 Updated:January 8, 2009
Description: Versions 1.5 and 2.0 of the firefox browser suffer from a long, scary list of vulnerabilities; see the Ubuntu or Red Hat advisories for the full story.
Alerts:
Fedora FEDORA-2008-6706 2008-08-07
Gentoo 200808-03 2008-08-06
Fedora FEDORA-2008-6737 2008-08-07
Mandriva MDVSA-2008:155 2008-07-25
Red Hat RHSA-2008:0616-01 2008-07-23
Slackware SSA:2008-198-01 2008-07-17
Slackware SSA:2008-191-03 2008-07-10
SuSE SUSE-SA:2008:034 2008-07-11
Fedora FEDORA-2008-6193 2008-07-08
Fedora FEDORA-2008-6196 2008-07-08
rPath rPSA-2008-0216-1 2008-07-08
Ubuntu USN-629-1 2008-07-25
CentOS CESA-2008:0616 2008-07-24
Mandriva MDVSA-2008:155-1 2008-07-27
Debian DSA-1621-1 2008-07-27
Debian DSA-1615-1 2008-07-23
Slackware SSA:2008-198-02 2008-07-17
Slackware SSA:2008-191-01 2008-07-10
Debian DSA-1607-1 2008-07-11
Mandriva MDVSA-2008:136 2008-07-08
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
Fedora FEDORA-2008-6127 2008-07-06
CentOS CESA-2008:0569 2008-07-06
CentOS CESA-2008:0549 2008-07-02
CentOS CESA-2008:0547 2008-07-02
Red Hat RHSA-2008:0569-01 2008-07-02
Red Hat RHSA-2008:0549-01 2008-07-02
Red Hat RHSA-2008:0547-01 2008-07-02
Ubuntu USN-619-1 2008-07-02
Debian DSA-1697-1 2009-01-07

Comments (none posted)

kernel: multiple DoS vulnerabilities

Package(s):kernel CVE #(s):CVE-2008-2372 CVE-2008-2750 CVE-2008-2826
Created:June 27, 2008 Updated:May 28, 2009
Description: The kernel package contains multiple vulnerabilities, the most serious of which can allow an unprivileged user to cause a denial of service.
Alerts:
Debian DSA-1630-1 2008-08-21
Mandriva MDVSA-2008:167 2008-08-12
Red Hat RHSA-2008:0612-01 2008-08-04
Mandriva MDVSA-2008:174 2008-08-19
CentOS CESA-2008:0612 2008-08-06
SuSE SUSE-SA:2008:038 2008-07-29
SuSE SUSE-SA:2008:035 2008-07-21
SuSE SUSE-SA:2008:037 2008-07-22
Ubuntu USN-625-1 2008-07-15
Fedora FEDORA-2008-5893 2008-07-02
rPath rPSA-2008-0207-1 2008-06-27
Red Hat RHSA-2008:0585-01 2008-08-26
SuSE SUSE-SA:2008:052 2008-10-21
Ubuntu USN-659-1 2008-10-27
Red Hat RHSA-2008:0957-02 2008-11-04
CentOS CESA-2008:0957 2008-11-05
Fedora FEDORA-2009-5383 2009-05-25

Comments (none posted)

libetpan: denial of service

Package(s):libetpan CVE #(s):
Created:June 26, 2008 Updated:July 2, 2008
Description: From the Fedora alert: Update to new upstream version 0.54 fixing a crash (NULL pointer dereference) in the mail message header parser. Note: There is no application in Fedora using libetpan library for which such crash could be considered a security issue. This can only be a security sensitive issue for some 3rd party, not packages applications.
Alerts:
Fedora FEDORA-2008-5469 2008-06-26
Fedora FEDORA-2008-5480 2008-06-26

Comments (none posted)

motion: off-by-one error

Package(s):motion CVE #(s):CVE-2008-2654
Created:July 1, 2008 Updated:July 2, 2008
Description: From the Gentoo advisory: Nico Golde reported an off-by-one error within the read_client() function in the webhttpd.c file, leading to a stack-based buffer overflow. Stefan Cornelius (Secunia Research) reported a boundary error within the same function, also leading to a stack-based buffer overflow. Both vulnerabilities require that the HTTP Control interface is enabled.
Alerts:
Gentoo 200807-02 2008-07-01

Comments (none posted)

mysql: privilege escalation

Package(s):mysql CVE #(s):CVE-2008-2079
Created:July 2, 2008 Updated:May 26, 2009
Description: From the Red Hat advisory: MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user's tables as the tables are created. As well, the names of these created tables need to be predicted correctly for this attack to succeed.

Version 5.0.50sp1a fixes the problem.

Alerts:
SuSE SUSE-SA:2008:041 2008-08-14
Red Hat RHSA-2008:0768-01 2008-07-24
Mandriva MDVSA-2008:149 2008-07-19
Mandriva MDVSA-2008:150 2007-07-19
Debian DSA-1608-1 2008-07-13
Red Hat RHSA-2008:0510-01 2008-07-02
SuSE SUSE-SR:2008:017 2008-08-29
Gentoo 200809-04 2008-09-04
Ubuntu USN-671-1 2008-11-17
Mandriva MDVSA-2009:094 2009-04-22
Red Hat RHSA-2009:1067-01 2009-05-26

Comments (none posted)

nasm: buffer overflow

Package(s):nasm CVE #(s):
Created:June 26, 2008 Updated:July 2, 2008
Description: From the Red Hat bug database entry: There are several (low impact, but still) buffer overflows in NASM releases prior to 2.03.01. Additionally, in NASM prior to 2.03, some code that use the EQU instruction would silently produce incorrect code.
Alerts:
Fedora FEDORA-2008-5473 2008-06-26

Comments (none posted)

perl: insecure use of chmod

Package(s):perl CVE #(s):CVE-2008-2827
Created:June 26, 2008 Updated:August 29, 2008
Description: The Perl language uses chmod insecurely in the rmtree function.
Alerts:
Mandriva MDVSA-2008:165 2008-08-11
Fedora FEDORA-2008-5739 2008-06-26
SuSE SUSE-SR:2008:017 2008-08-29

Comments (1 posted)

sympa: denial of service

Package(s):sympa CVE #(s):CVE-2008-1648
Created:July 2, 2008 Updated:July 7, 2008
Description: The sympa mailing list manager can be made to crash when processing "certain types of malformed messages."
Alerts:
Mandriva MDVSA-2008:133 2008-07-04
Debian DSA-1600-1 2008-07-01

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds