=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2011/VULN144
_____________________________________________________________________

DATE                      : 21/02/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Ruby version prior to 1.8.7-334,
                              1.9.1-p431, 1.9.2-p180.

======================================================================
http://www.ruby-lang.org/en/news/2011/02/18/fileutils-is-vulnerable-to-symlink-race-attacks/
http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
______________________________________________________________________


FileUtils is vulnerable to symlink race attacks

A symlink race condition vulnerability was found in FileUtils.remove_entry_secure.
The vulnerability allows local users to delete arbitrary files and
directories.

Affected versions

    * Ruby 1.8.6 patchlevel 420 and all prior versions
    * Ruby 1.8.7 patchlevel 330 and all prior versions
    * Development versions of Ruby 1.8 (1.8.8dev)
    * Ruby 1.9.1 patchlevel 430 and all prior versions
    * Ruby 1.9.2 patchlevel 136 and all prior versions
    * Development versions of Ruby 1.9 (1.9.3dev)

Solutions

We have fixed this situation. All affected users are encouraged to upgrade
their ruby installation.

But please also note, that symlink race attacks are unavoidable when any
of upper directories from where you want to delete are owned by someone
you cannot trust. So if you want to be secure, you must ensure that ALL
parent directories cannot be moved by other untrusted users. For example,
parent directories should not be owned by untrusted users, and should not
be world writable except when the sticky bit set.

Updates

    * Fixed typo. (vulnerabile -> vulnerable)
    * 1.8.7-334 was released to fix this issue. 1.8.7 users are encouraged to upgrade.
          o ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p334.tar.gz
          o ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p334.tar.bz2
          o ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p334.zip
    * 1.9.1-p431 was released to fix this issue. 1.9.1 users are encouraged to upgrade.
          o ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p431.tar.gz
          o ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p431.tar.bz2
          o ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p431.zip
    * 1.9.2-p180 was released to fix this issue. 1.9.2 users are encouraged to upgrade.
          o ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-p180.tar.gz
          o ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-p180.tar.bz2
          o ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-p180.zip
    * Fixed affected versions for 1.9 series.
_______________________________________________________________________


Exception methods can bypass $SAFE
Exception#to_s method can be used to trick $SAFE check, which makes a
untrusted codes to modify arbitrary strings.

Detailed description

In Ruby's $SAFE semantics, safe level of 4 is used to run a untrusted code
(such as plugin). So in upper safe levels, some sort of operations are
prohibited to prevent untrusted codes from attacking outer (trusted) data.

Exception#to_s was found to be problematic around it. The method can trick
safe level mechanism and destructively modifies an untaitned string to be
tainted. With this an attacker can modify arbitrary untainted strings like
this:

$secret_path = "foo"

proc do
    $SAFE = 4
    Exception.new($secret_path).to_s
    $secret_path.replace "/etc/passwd"
end.call

open($secret_path) do
  ...
end

Affected versions

Luckily this attack is ineffective for 1.9.x series of ruby.
Affected versions are restricted to:

    * Ruby 1.8.6 patchlevel 420 and all prior versions
    * Ruby 1.8.7 patchlevel 330 and all prior versions
    * Development versions of Ruby 1.8 (1.8.8dev)

Solutions

Please upgrade to a newer version.
Updates

    * 1.8.7-334 was released to fix this issue. 1.8.7 users are encouraged
to upgrade.
          o ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p334.tar.gz
          o ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p334.tar.bz2
          o ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p334.zip



======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================