← Back to branch summary

~ubuntu-branches/ubuntu/raring/ruby1.9.1/raring-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2013-2065.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2013-11-26 11:36:50 UTC
  • Revision ID: package-import@ubuntu.com-20131126113650-ubvq24vo78lqw7pd
Tags: 1.9.3.194-8.1ubuntu1.2
* SECURITY UPDATE: safe level restriction bypass via DL and Fiddle
  - debian/patches/CVE-2013-2065.patch: perform taint checking in
    ext/dl/lib/dl/func.rb, ext/fiddle/function.c.
  - CVE-2013-2065
* SECURITY UPDATE: denial of service and possible code execution via
  heap overflow in floating point parsing.
  - debian/patches/CVE-2013-4164.patch: check lengths in util.c, added
    test to test/ruby/test_float.rb.
  - CVE-2013-4164

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2013-2065.patch
 
1
Description: fix safe level restriction bypass via DL and Fiddle
 
2
Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=40732
 
3
 
 
4
Index: ruby1.9.1-1.9.3.194/ext/dl/lib/dl/func.rb
 
5
===================================================================
 
6
--- ruby1.9.1-1.9.3.194.orig/ext/dl/lib/dl/func.rb      2010-06-25 15:43:15.000000000 -0400
 
7
+++ ruby1.9.1-1.9.3.194/ext/dl/lib/dl/func.rb   2013-11-26 11:33:08.377890767 -0500
 
8
@@ -55,6 +55,9 @@
 
9
         super
 
10
       else
 
11
         funcs = []
 
12
+        if $SAFE >= 1 && args.any? { |x| x.tainted? }
 
13
+          raise SecurityError, "tainted parameter not allowed"
 
14
+        end
 
15
         _args = wrap_args(args, @stack.types, funcs, &block)
 
16
         r = @cfunc.call(@stack.pack(_args))
 
17
         funcs.each{|f| f.unbind_at_call()}
 
18
Index: ruby1.9.1-1.9.3.194/ext/fiddle/function.c
 
19
===================================================================
 
20
--- ruby1.9.1-1.9.3.194.orig/ext/fiddle/function.c      2011-08-15 20:51:58.000000000 -0400
 
21
+++ ruby1.9.1-1.9.3.194/ext/fiddle/function.c   2013-11-26 11:33:12.265890867 -0500
 
22
@@ -101,6 +101,15 @@
 
23
 
 
24
     TypedData_Get_Struct(self, ffi_cif, &function_data_type, cif);
 
25
 
 
26
+    if (rb_safe_level() >= 1) {
 
27
+       for (i = 0; i < argc; i++) {
 
28
+           VALUE src = argv[i];
 
29
+           if (OBJ_TAINTED(src)) {
 
30
+               rb_raise(rb_eSecurityError, "tainted parameter not allowed");
 
31
+           }
 
32
+       }
 
33
+    }
 
34
+
 
35
     values = xcalloc((size_t)argc + 1, (size_t)sizeof(void *));
 
36
     generic_args = xcalloc((size_t)argc, (size_t)sizeof(fiddle_generic));
 
37