FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ruby -- multiple vulnerabilities

Affected packages
2.3.0,1 <= ruby < 2.3.7,1
2.4.0,1 <= ruby < 2.4.4,1
2.5.0,1 <= ruby < 2.5.1,1

Details

VuXML ID eb69bcf2-18ef-4aa2-bb0c-83b263364089
Discovery 2018-03-28
Entry 2018-03-29

Ruby news:

CVE-2017-17742: HTTP response splitting in WEBrick

If a script accepts an external input and outputs it without modification as a part of HTTP responses, an attacker can use newline characters to deceive the clients that the HTTP response header is stopped at there, and can inject fake HTTP responses after the newline characters to show malicious contents to the clients.

CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir

Dir.mktmpdir method introduced by tmpdir library accepts the prefix and the suffix of the directory which is created as the first parameter. The prefix can contain relative directory specifiers "../", so this method can be used to target any directory. So, if a script accepts an external input as the prefix, and the targeted directory has inappropriate permissions or the ruby process has inappropriate privileges, the attacker can create a directory or a file at any directory.

CVE-2018-8777: DoS by large request in WEBrick

If an attacker sends a large request which contains huge HTTP headers, WEBrick try to process it on memory, so the request causes the out-of-memory DoS attack.

CVE-2018-8778: Buffer under-read in String#unpack

String#unpack receives format specifiers as its parameter, and can be specified the position of parsing the data by the specifier @. If a big number is passed with @, the number is treated as the negative value, and out-of-buffer read is occurred. So, if a script accepts an external input as the argument of String#unpack, the attacker can read data on heaps.

CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket

UNIXServer.open accepts the path of the socket to be created at the first parameter. If the path contains NUL (\0) bytes, this method recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of this method, the attacker can make the socket file in the unintentional path. And, UNIXSocket.open also accepts the path of the socket to be created at the first parameter without checking NUL bytes like UNIXServer.open. So, if a script accepts an external input as the argument of this method, the attacker can accepts the socket file in the unintentional path.

CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir

Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the target directory as their parameter. If the parameter contains NUL (\0) bytes, these methods recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of these methods, the attacker can make the unintentional directory traversal.

References

CVE Name CVE-2017-17742
CVE Name CVE-2018-6914
CVE Name CVE-2018-8777
CVE Name CVE-2018-8778
CVE Name CVE-2018-8779
CVE Name CVE-2018-8780
URL https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
URL https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
URL https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
URL https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
URL https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
URL https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/
URL https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/
URL https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/
URL https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/