FreeBSD : ruby -- $SAFE escaping vulnerability about Exception#to_s/NameError#to_s (2a093853-2495-11e2-b0c7-000d601460a4)

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

The official ruby site reports :

Vulnerabilities found for Exception#to_s, NameError#to_s, and
name_err_mesg_to_s() which is Ruby interpreter-internal API. A
malicious user code can bypass $SAFE check by utilizing one of those
security holes.

Ruby's $SAFE mechanism enables untrusted user codes to run in $SAFE >=
4 mode. This is a kind of sandboxing so some operations are restricted
in that mode to protect other data outside the sandbox.

The problem found was around this mechanism. Exception#to_s,
NameError#to_s, and name_err_mesg_to_s() interpreter-internal API was
not correctly handling the $SAFE bits so a String object which is not
tainted can destructively be marked as tainted using them. By using
this an untrusted code in a sandbox can modify a formerly-untainted
string destructively.

Ruby 1.8 once had a similar security issue. It fixed Exception#to_s
and NameError#to_s, but name_err_mesg_to_str() issue survived previous
security fix

See also :

http://www.nessus.org/u?23ace916
https://access.redhat.com/security/cve/CVE-2012-4464/
http://www.nessus.org/u?4fa420d4

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 62791 ()

Bugtraq ID:

CVE ID: CVE-2012-4464
CVE-2012-4466

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now