oss-sec mailing list archives

Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes)

From: Ramon de C Valle <rdecvalle () vmware com>
Date: Mon, 14 Jul 2014 17:01:09 +0000

The fix for the (off-by-one) issue was added in 
https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/46778. Is MITRE or Red Hat going to assign a CVE 
for it?

On Jul 10, 2014, at 8:12 PM, Ramon de C Valle <rdecvalle () vmware com> wrote:


On Jul 10, 2014, at 6:59 PM, Ramon de C Valle <rdecvalle () vmware com> wrote:

Hi Thomas, Murray,

On Jul 10, 2014, at 7:43 AM, Tomas Hoger <thoger () redhat com> wrote:

On Wed, 9 Jul 2014 15:45:10 +0000 Ramon de C Valle wrote:

I believe this should have a CVE assigned.


Can you post more details of your analysis of the issue to clarify what
the issue is here?

From 
https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/issues/10019&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=INlQZCdbEhwoZYUL%2FLXSUVHqBdVmMPauC0BH2SHpGhA%3D%0A&s=9d9df67d0535cccd7b8572814df073ac1a01f871aa52ea4d8763008ea023da0c,
 it seems that you’ve figured it out already. Correct me if I’m wrong but, for Base64, a value of 3072 for len isn’t 
enough to cause the off-by-one as the while loop will terminate with the value of len being zero (and the value of i 
being 4092). However, if the value of len is either is 3073* or 3074*, the while loop will terminate with the value 
of len being 1 or 2 respectively (and the value of i being 4092), with one of the subsequent if/else if conditions 
evaluating to true, resulting in the off-by-one.

I see you’ve checked the template strings used by aws-sdk gem and its dependencies and they use ‘m0’ only, which 
rules out the possibility this off-by-one being caused by any of these gems. So, now I’m also not sure what the 
reporter is referring to.

*It is possible to pass non multiple of 3 values as the len parameter of encodes function by passing a string with 
length smaller than the count (/ 3 * 3) passed in the template string (see 
https://urldefense.proofpoint.com/v1/url?u=https://github.com/ruby/ruby/blob/trunk/pack.c%23L839&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=INlQZCdbEhwoZYUL%2FLXSUVHqBdVmMPauC0BH2SHpGhA%3D%0A&s=2eabd2924dd7e3efad12ddf21cba514da7ee0b384de6522507b5bf6af075d3a3).

I just double checked it, and the correct values are 3069, 3070, and 3071. So, a value of 3069 is the value that 
isn’t enough to cause the off-by-one, and if the value of len is either 3070* or 3071*, the while loop will terminate 
with the value of len being 1 or 2 respectively (and the value of i being 4092), with one of the subsequent if/else 
if conditions evaluating to true (incrementing the value of i up to 4096), resulting in the off-by-one (at 
https://urldefense.proofpoint.com/v1/url?u=https://github.com/ruby/ruby/blob/trunk/pack.c%23L987&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=ljKHjUWYBr%2Fc7t%2BKryr94%2B7LLLONL1Rf7QS%2Fxy9eROU%3D%0A&s=65eded0326a18bc50fdb6558d76f7202a022d6ba9b1b9c5fbd42e745aea926ea),
 which matches the first case you’ve listed.

Anyway, whatever the reporter is referring to, he mentions it doesn't occur in 1.9.3, and looking at 1.9.3, the only 
related differences I immediately noticed are the absence of the check at 
https://urldefense.proofpoint.com/v1/url?u=https://github.com/ruby/ruby/blob/trunk/pack.c%23L829&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=ljKHjUWYBr%2Fc7t%2BKryr94%2B7LLLONL1Rf7QS%2Fxy9eROU%3D%0A&s=4a5d3231f93632eca6650e73c74f95cc3f77cc41b285eec815d902d922b07f6f
 in pack_pack function and padding being an int (instead of char) in the encodes function.


-- 
Tomas Hoger / Red Hat Security Response Team


--
Ramon de C Valle
VMware Product Security Engineering


--
Ramon de C Valle
VMware Product Security Engineering


--
Ramon de C Valle
VMware Product Security Engineering

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Current thread:

Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 09)
- Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Murray McAllister (Jul 09)
- Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Tomas Hoger (Jul 10)
  - Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 10)
    - Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 10)
    - Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 14)
    - Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Kurt Seifried (Jul 14)
    - Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) cve-assign (Jul 14)
    - Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 15)
    - Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) cve-assign (Jul 15)
    - Re: Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Tomas Hoger (Jul 16)
    - Re: Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Tomas Hoger (Jul 16)
    - Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 16)
    - Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) cve-assign (Jul 17)