oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes)

From: Ramon de C Valle <rdecvalle () vmware com>
Date: Thu, 10 Jul 2014 21:59:26 +0000
Hi Thomas, Murray,

On Jul 10, 2014, at 7:43 AM, Tomas Hoger <thoger () redhat com> wrote:


On Wed, 9 Jul 2014 15:45:10 +0000 Ramon de C Valle wrote:


I believe this should have a CVE assigned.


Can you post more details of your analysis of the issue to clarify what
the issue is here?

From https://bugs.ruby-lang.org/issues/10019, it seems that you’ve figured it out already. Correct me if I’m wrong but, 
for Base64, a value of 3072 for len isn’t enough to cause the off-by-one as the while loop will terminate with the 
value of len being zero (and the value of i being 4092). However, if the value of len is either is 3073* or 3074*, the 
while loop will terminate with the value of len being 1 or 2 respectively (and the value of i being 4092), with one of 
the subsequent if/else if conditions evaluating to true, resulting in the off-by-one.

I see you’ve checked the template strings used by aws-sdk gem and its dependencies and they use ‘m0’ only, which rules 
out the possibility this off-by-one being caused by any of these gems. So, now I’m also not sure what the reporter is 
referring to.

*It is possible to pass non multiple of 3 values as the len parameter of encodes function by passing a string with 
length smaller than the count (/ 3 * 3) passed in the template string (see 
https://github.com/ruby/ruby/blob/trunk/pack.c#L839).



-- 
Tomas Hoger / Red Hat Security Response Team


--
Ramon de C Valle
VMware Product Security Engineering

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Previous By Date Next
Previous By Thread Next

Current thread: