The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path.

According to the versions of the ruby packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Ruby 1.8.7 before patchlevel 371, 1.9.3 before     patchlevel 286, and 2.0 before revision r37068 allows     context-dependent attackers to bypass safe-level     restrictions and modify untainted strings via the     name_err_mesg_to_str API function, which marks the     string as tainted, a different vulnerability than     CVE-2011-1005.(CVE-2012-4466)

  - The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel     551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x     before 2.1.5 allows remote attackers to cause a denial     of service (CPU and memory consumption) a crafted XML     document containing an empty string in an entity that     is used in a large number of nested entity references,     aka an XML Entity Expansion (XEE) attack. NOTE: this     vulnerability exists because of an incomplete fix for     CVE-2013-1821 and CVE-2014-8080.(CVE-2014-8090)

  - Algorithmic complexity vulnerability in     Gem::Version::VERSION_PATTERN in     lib/rubygems/version.rb in RubyGems before 1.8.23.1,     1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x     before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247,     allows remote attackers to cause a denial of service     (CPU consumption) via a crafted gem version that     triggers a large amount of backtracking in a regular     expression.(CVE-2013-4287)

  - The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x     before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote     attackers to cause a denial of service (memory     consumption) via a crafted XML document, aka an XML     Entity Expansion (XEE) attack.(CVE-2014-8080)

  - The OpenSSL::SSL.verify_certificate_identity function     in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374,     1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does     not properly handle a '\\0' character in a domain name     in the Subject Alternative Name field of an X.509     certificate, which allows man-in-the-middle attackers     to spoof arbitrary SSL servers via a crafted     certificate issued by a legitimate Certification     Authority, a related issue to     CVE-2009-2408.(CVE-2013-4073)

  - The rb_get_path_check function in file.c in Ruby 1.9.3     before patchlevel 286 and Ruby 2.0.0 before r37163     allows context-dependent attackers to create files in     unexpected locations or with unexpected names via a NUL     byte in a file path.(CVE-2012-4522)

  - (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3     patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do     not perform taint checking for native functions, which     allows context-dependent attackers to bypass intended     $SAFE level restrictions.(CVE-2013-2065)

  - Algorithmic complexity vulnerability in     Gem::Version::ANCHORED_VERSION_PATTERN in     lib/rubygems/version.rb in RubyGems before 1.8.23.2,     1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x     before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247,     allows remote attackers to cause a denial of service     (CPU consumption) via a crafted gem version that     triggers a large amount of backtracking in a regular     expression. NOTE: this issue is due to an incomplete     fix for CVE-2013-4287.(CVE-2013-4363)

  - Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before     r37575 computes hash values without properly     restricting the ability to trigger hash collisions     predictably, which allows context-dependent attackers     to cause a denial of service (CPU consumption) via     crafted input to an application that maintains a hash     table, as demonstrated by a universal multicollision     attack against a variant of the MurmurHash2 algorithm,     a different vulnerability than     CVE-2011-4815.(CVE-2012-5371)

  - Off-by-one error in the encodes function in pack.c in     Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when     using certain format string specifiers, allows     context-dependent attackers to cause a denial of     service (segmentation fault) via vectors that trigger a     stack-based buffer overflow.(CVE-2014-4975)

  - Heap-based buffer overflow in Ruby 1.8, 1.9 before     1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0     preview2, and trunk before revision 43780 allows     context-dependent attackers to cause a denial of     service (segmentation fault) and possibly execute     arbitrary code via a string that is converted to a     floating point value, as demonstrated using (1) the     to_f method or (2) JSON.parse.(CVE-2013-4164)

  - It was found that the methods from the Dir class did     not properly handle strings containing the NULL byte.
    An attacker, able to inject NULL bytes in a path, could     possibly trigger an unspecified behavior of the ruby     script.(CVE-2018-8780)

  - Ruby 1.9.3 before patchlevel 286 and 2.0 before     revision r37068 allows context-dependent attackers to     bypass safe-level restrictions and modify untainted     strings via the (1) exc_to_s or (2) name_err_to_s API     function, which marks the string as tainted, a     different vulnerability than CVE-2012-4466. NOTE: this     issue might exist because of a CVE-2011-1005     regression.(CVE-2012-4464)

  - An issue was discovered in the OpenSSL library in Ruby     before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2,     and 2.6.x before 2.6.0-preview3. When two     OpenSSL::X509::Name objects are compared using ==,     depending on the ordering, non-equal objects may return     true. When the first argument is one character longer     than the second, or the second argument contains a     character that is one less than a character in the same     position of the first argument, the result of == will     be true. This could be leveraged to create an     illegitimate certificate that may be accepted as     legitimate and then used in signing or encryption     operations.(CVE-2018-16395)

  - An issue was discovered in Ruby before 2.3.8, 2.4.x     before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before     2.6.0-preview3. It does not taint strings that result     from unpacking tainted strings with some     formats.(CVE-2018-16396)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Red Hat OpenShift Enterprise 1.1.1 is now available.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS) solution from Red Hat, and is designed for on-premise or private cloud deployments.

Installing the updated packages and restarting the OpenShift services are the only requirements for this update. However, if you are updating your system to Red Hat Enterprise Linux 6.4 while applying OpenShift Enterprise 1.1.1 updates, it is recommended that you restart your system.

For further information about this release, refer to the OpenShift Enterprise 1.1.1 Technical Notes, available shortly from https://access.redhat.com/knowledge/docs/

This update also fixes the following security issues :

Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using rubygem-actionpack.
(CVE-2012-3463, CVE-2012-3464, CVE-2012-3465)

It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected.
(CVE-2012-4522)

A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, a new, more collision resistant algorithm has been used to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2012-5371)

Input validation vulnerabilities were discovered in rubygem-activerecord. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2013-0155)

Input validation vulnerabilities were discovered in rubygem-actionpack. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694)

A flaw was found in the HTTP digest authentication implementation in rubygem-actionpack. A remote attacker could use this flaw to cause a denial of service of an application using rubygem-actionpack and digest authentication. (CVE-2012-3424)

A flaw was found in the handling of strings in Ruby safe level 4. A remote attacker can use Exception#to_s to destructively modify an untainted string so that it is tainted, the string can then be arbitrarily modified. (CVE-2012-4466)

A flaw was found in the method for translating an exception message into a string in the Ruby Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4464)

It was found that ruby_parser from rubygem-ruby_parser created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to the application using ruby_parser. (CVE-2013-0162)

The CVE-2013-0162 issue was discovered by Michael Scherer of the Red Hat Regional IT team.

Users are advised to upgrade to Red Hat OpenShift Enterprise 1.1.1.

CVE-2011-0188 The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an 'integer truncation issue.'

CVE-2011-2705 use upstream SVN r32050 to modify PRNG state to prevent random number sequence repeatation at forked child process which has same pid. Reported by Eric Wong.

CVE-2012-4522 The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path.

CVE-2013-0256 darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.

CVE-2013-2065 (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.

CVE-2015-1855 OpenSSL extension hostname matching implementation violates RFC 6125

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ruby19 was updated to fix various bugs and security issues: Update to 1.9.3 p385 (bnc#802406)

  - XSS exploit of RDoc documentation generated by rdoc     (CVE-2013-0256)

  - for other changes see     /usr/share/doc/packages/ruby19/Changelog

Update to 1.9.3 p327 (bnc#789983)

  - CVE-2012-5371 and plenty of other fixes

Update to 1.9.3 p286 (bnc#783511, bnc#791199)

  - This release includes some security fixes, and many     other bug fixes. $SAFE escaping vulnerability about     Exception#to_s / NameError#to_s (CVE-2012-4464,     CVE-2012-4466)

  - Unintentional file creation caused by inserting an     illegal NUL character many other bug fixes.
    (CVE-2012-4522) Also following bugfixes and packaging     fixes were done :

  - make sure the rdoc output is more stable for     build-compare (new patch ruby-sort-rdoc-output.patch)

  - readd the private header *atomic.h

  - remove build depencency on ca certificates - only     causing cycles

  - one more header needed for rubygem-ruby-debug-base19

  - install vm_core.h and its dependencies as     ruby-devel-extra

  - move the provides to the ruby package instead

  - add provides for the internal gems

  - restore the old ruby macros and the gem wrapper script

  - gem_install_wrapper no longer necessary

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-0129 advisory.

    - unintentional file creation caused by inserting an illegal NUL character
      * ruby-1.8.6-CVE-2012-4522-io.c-pipe_open-command-name-should-not-contain-null-.patch
      - Related: rhbz#867750
    -  escaping vulnerability about Exception#to_s / NameError#to_s
      * ruby-1.8.7-p371-CVE-2012-4481.patch
      - Resolves: rhbz#867750
    - unintentional file creation caused by inserting an illegal NUL character
      * ruby-1.8.6-CVE-2012-4522-io.c-rb_open_file-should-check-NUL-in-path.patch
      - Resolves: rhbz#867750

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The ruby interpreter received a fix for two security issues :

  - Ruby's $SAFE mechanism enables untrusted user codes to     run in $SAFE >= 4 mode. This is a kind of sandboxing so     some operations are restricted in that mode to protect     other data outside the sandbox. (CVE-2012-4466)

    The problem found was around this mechanism.
    Exception#to_s, NameError#to_s, and name_err_mesg_to_s()     interpreter-internal API was not correctly handling the     $SAFE bits so a String object which is not tainted can     destructively be marked as tainted using them. By using     this an untrusted code in a sandbox can modify a     formerly-untainted string destructively.

    http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-446     4-cve-2012-4466/

  - Ruby before 1.8.7-p352 does not reset the random seed     upon forking, which makes it easier for     context-dependent attackers to predict the values of     random numbers by leveraging knowledge of the number     sequence obtained in a different child process.
    (CVE-2011-2686)

  - Fix entity expansion DoS vulnerability in REXML. When     reading text nodes from an XML document, the REXML     parser could be coerced into allocating extremely large     string objects which could consume all available memory     on the system. (CVE-2013-1821)

The ruby interpreter received a fix for a security issue :

  - Ruby's $SAFE mechanism enables untrusted user codes to     run in $SAFE >= 4 mode. This is a kind of sandboxing so     some operations are restricted in that mode to protect     other data outside the sandbox. (CVE-2012-4466)

    The problem found was around this mechanism.
    Exception#to_s, NameError#to_s, and name_err_mesg_to_s()     interpreter-internal API was not correctly handling the     $SAFE bits so a String object which is not tainted can     destructively be marked as tainted using them. By using     this an untrusted code in a sandbox can modify a     formerly-untainted string destructively.

    http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-446     4-cve-2012-4466/

It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected.
(CVE-2012-4522)

It was found that the SLSA-2011:0909 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481)

This update also fixes the following bug :

  - Prior to this update, the 'rb_syck_mktime' option could,     under certain circumstances, terminate with a     segmentation fault when installing libraries with     certain gems. This update modifies the underlying code     so that Ruby gems can be installed as expected.

Updated ruby packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected.
(CVE-2012-4522)

It was found that the RHSA-2011:0909 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481)

The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat.

This update also fixes the following bug :

* Prior to this update, the 'rb_syck_mktime' option could, under certain circumstances, terminate with a segmentation fault when installing libraries with certain gems. This update modifies the underlying code so that Ruby gems can be installed as expected.
(BZ#834381)

All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2013:0129 advisory.

  - ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects (CVE-2012-4481)

  - ruby: unintentional file creation caused by inserting an illegal NUL character (CVE-2012-4522)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The official ruby site reports :

A vulnerability was found that file creation routines can create unintended files by strategically inserting NUL(s) in file paths. This vulnerability has been reported as CVE-2012-4522.

Ruby can handle arbitrary binary patterns as Strings, including NUL chars. On the other hand OSes and other libraries tend not. They usually treat a NUL as an End of String mark. So to interface them with Ruby, NUL chars should properly be avoided.

However methods like IO#open did not check the filename passed to them, and just passed those strings to lower layer routines. This led to create unintentional files.

Tyler Hicks and Shugo Maeda discovered that Ruby incorrectly allowed untainted strings to be modified in protective safe levels. An attacker could use this flaw to bypass intended access restrictions.
USN-1602-1 fixed these vulnerabilities in other Ubuntu releases. This update provides the corresponding updates for Ubuntu 12.10.
(CVE-2012-4464, CVE-2012-4466)

Peter Bex discovered that Ruby incorrectly handled file path strings when opening files. An attacker could use this flaw to open or create unexpected files. (CVE-2012-4522).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New version 1.9.3 patchlevel 286 is released.

A potential security flaw was found on the previous ruby that using crafted string might lead to unintentional file creation. This new rpm will fix this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124931	EulerOS Virtualization 3.0.1.0 : ruby (EulerOS-SA-2019-1428)	Nessus	Huawei Local Security Checks	critical
119432	RHEL 6 : openshift (RHSA-2013:0582)	Nessus	Red Hat Local Security Checks	high
83907	Debian DLA-235-1 : ruby1.9.1 security update	Nessus	Debian Local Security Checks	medium
74909	openSUSE Security Update : ruby19 (openSUSE-SU-2013:0376-1)	Nessus	SuSE Local Security Checks	medium
68700	Oracle Linux 5 : ruby (ELSA-2013-0129)	Nessus	Oracle Linux Local Security Checks	high
65799	SuSE 10 Security Update : ruby (ZYPP Patch Number 8524)	Nessus	SuSE Local Security Checks	medium
65248	SuSE 11.2 Security Update : ruby (SAT Patch Number 7386)	Nessus	SuSE Local Security Checks	medium
63603	Scientific Linux Security Update : ruby on SL5.x i386/x86_64 (20130108)	Nessus	Scientific Linux Local Security Checks	medium
63574	CentOS 5 : ruby (CESA-2013:0129)	Nessus	CentOS Local Security Checks	medium
63410	RHEL 5 : ruby (RHSA-2013:0129)	Nessus	Red Hat Local Security Checks	high
62792	FreeBSD : ruby -- Unintentional file creation caused by inserting an illegal NUL character (3decc87d-2498-11e2-b0c7-000d601460a4)	Nessus	FreeBSD Local Security Checks	medium
62661	Ubuntu 12.04 LTS / 12.10 : ruby1.9.1 vulnerabilities (USN-1614-1)	Nessus	Ubuntu Local Security Checks	medium
62648	Fedora 17 : ruby-1.9.3.286-18.fc17 (2012-16086)	Nessus	Fedora Local Security Checks	medium
62607	Fedora 18 : ruby-1.9.3.286-19.fc18 (2012-16071)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2012-4522

high

Tenable Plugins

critical

high

medium

medium

high

medium

medium

medium

medium

high

medium

medium

medium

medium