oss-sec mailing list archives
Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes)
From: Ramon de C Valle <rdecvalle () vmware com>
Date: Mon, 14 Jul 2014 17:01:09 +0000
The fix for the (off-by-one) issue was added in https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/46778. Is MITRE or Red Hat going to assign a CVE for it? On Jul 10, 2014, at 8:12 PM, Ramon de C Valle <rdecvalle () vmware com> wrote:
On Jul 10, 2014, at 6:59 PM, Ramon de C Valle <rdecvalle () vmware com> wrote:Hi Thomas, Murray, On Jul 10, 2014, at 7:43 AM, Tomas Hoger <thoger () redhat com> wrote:On Wed, 9 Jul 2014 15:45:10 +0000 Ramon de C Valle wrote:I believe this should have a CVE assigned.Can you post more details of your analysis of the issue to clarify what the issue is here?From https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/issues/10019&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=INlQZCdbEhwoZYUL%2FLXSUVHqBdVmMPauC0BH2SHpGhA%3D%0A&s=9d9df67d0535cccd7b8572814df073ac1a01f871aa52ea4d8763008ea023da0c, it seems that you’ve figured it out already. Correct me if I’m wrong but, for Base64, a value of 3072 for len isn’t enough to cause the off-by-one as the while loop will terminate with the value of len being zero (and the value of i being 4092). However, if the value of len is either is 3073* or 3074*, the while loop will terminate with the value of len being 1 or 2 respectively (and the value of i being 4092), with one of the subsequent if/else if conditions evaluating to true, resulting in the off-by-one. I see you’ve checked the template strings used by aws-sdk gem and its dependencies and they use ‘m0’ only, which rules out the possibility this off-by-one being caused by any of these gems. So, now I’m also not sure what the reporter is referring to. *It is possible to pass non multiple of 3 values as the len parameter of encodes function by passing a string with length smaller than the count (/ 3 * 3) passed in the template string (see https://urldefense.proofpoint.com/v1/url?u=https://github.com/ruby/ruby/blob/trunk/pack.c%23L839&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=INlQZCdbEhwoZYUL%2FLXSUVHqBdVmMPauC0BH2SHpGhA%3D%0A&s=2eabd2924dd7e3efad12ddf21cba514da7ee0b384de6522507b5bf6af075d3a3).I just double checked it, and the correct values are 3069, 3070, and 3071. So, a value of 3069 is the value that isn’t enough to cause the off-by-one, and if the value of len is either 3070* or 3071*, the while loop will terminate with the value of len being 1 or 2 respectively (and the value of i being 4092), with one of the subsequent if/else if conditions evaluating to true (incrementing the value of i up to 4096), resulting in the off-by-one (at https://urldefense.proofpoint.com/v1/url?u=https://github.com/ruby/ruby/blob/trunk/pack.c%23L987&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=ljKHjUWYBr%2Fc7t%2BKryr94%2B7LLLONL1Rf7QS%2Fxy9eROU%3D%0A&s=65eded0326a18bc50fdb6558d76f7202a022d6ba9b1b9c5fbd42e745aea926ea), which matches the first case you’ve listed. Anyway, whatever the reporter is referring to, he mentions it doesn't occur in 1.9.3, and looking at 1.9.3, the only related differences I immediately noticed are the absence of the check at https://urldefense.proofpoint.com/v1/url?u=https://github.com/ruby/ruby/blob/trunk/pack.c%23L829&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=ljKHjUWYBr%2Fc7t%2BKryr94%2B7LLLONL1Rf7QS%2Fxy9eROU%3D%0A&s=4a5d3231f93632eca6650e73c74f95cc3f77cc41b285eec815d902d922b07f6f in pack_pack function and padding being an int (instead of char) in the encodes function.-- Tomas Hoger / Red Hat Security Response Team-- Ramon de C Valle VMware Product Security Engineering-- Ramon de C Valle VMware Product Security Engineering
-- Ramon de C Valle VMware Product Security Engineering
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 09)
- Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Murray McAllister (Jul 09)
- Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Tomas Hoger (Jul 10)
- Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 10)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 10)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 14)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Kurt Seifried (Jul 14)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) cve-assign (Jul 14)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 15)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) cve-assign (Jul 15)
- Re: Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Tomas Hoger (Jul 16)
- Re: Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Tomas Hoger (Jul 16)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 16)
- Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 10)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) cve-assign (Jul 17)