==================================================================== CERT-Renater Note d'Information No. 2018/VULN366 _____________________________________________________________________ DATE : 05/11/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Ruby versions 2.3, 2.4, 2.5, 2.6. ===================================================================== https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/ https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/ _____________________________________________________________________ CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives Posted by usa on 17 Oct 2018 In Array#pack and String#unpack with some formats, the tainted flags of the original data are not propagated to the returned string/array. This vulnerability has been assigned the CVE identifier CVE-2018-16396. Details The Array#pack method converts the receiver’s contents into a string with a specified format. If the receiver contains some tainted objects, the returned string also should be tainted. The String#unpack method which converts the receiver into an array also should propagate its tainted flag to the objects contained in the returned array. But, with the B, b, H, and h directives, the tainted flags are not propagated. So, if a script processes unreliable inputs by Array#pack and/or String#unpack with these directives and checks the reliability with tainted flags, the check might be wrong. All users running an affected release should upgrade immediately. Affected Versions Ruby 2.3 series: 2.3.7 and earlier Ruby 2.4 series: 2.4.4 and earlier Ruby 2.5 series: 2.5.1 and earlier Ruby 2.6 series: 2.6.0-preview2 and earlier prior to trunk revision r65125 Credit Thanks to Chris Seaton for reporting the issue. History Originally published at 2018-10-17 14:00:00 (UTC) _____________________________________________________________________ CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly Posted by usa on 17 Oct 2018 The equality check of OpenSSL::X509::Name is not correct in the openssl extension library bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2018-16395. Details An instance of OpenSSL::X509::Name contains entities such as CN, C, and so on. Some two instances of OpenSSL::X509::Name are equal only when all entities are exactly equal. However, there is a bug that the equality check is not correct if the value of an entity of the argument (right-hand side) starts with the value of the receiver (left-hand side). So, if a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal. It is strongly recommended for Ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible. Affected Versions Ruby 2.3 series: 2.3.7 and earlier Ruby 2.4 series: 2.4.4 and earlier Ruby 2.5 series: 2.5.1 and earlier Ruby 2.6 series: 2.6.0-preview2 and earlier prior to trunk revision r65139 Workaround The openssl 2.1.2 gem or later includes a fix for the vulnerability, so upgrade the openssl gem to the latest version if you are using Ruby 2.4 or a later series. gem install openssl -v ">= 2.1.2" However, in the Ruby 2.3 series, you can not override the bundled version of openssl with the openssl gem. Please upgrade your Ruby installation to the latest version. Credit Thanks to Tyler Eckstein for reporting the issue. History Originally published at 2018-10-17 14:00:00 (UTC) Mention the fixed revision of trunk at 2018-10-19 00:00:00 (UTC) ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================