Описание
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| ruby2.5 | fixed | 2.5.1-1 | package | |
| ruby2.3 | removed | package | ||
| ruby2.1 | removed | package | ||
| ruby1.9.1 | removed | package | ||
| ruby1.8 | removed | package |
Примечания
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
https://hackerone.com/reports/302997
Fixed by: https://github.com/ruby/ruby/commit/8794dec6a5f11adc5cdd19a5ee91ea6b0816763f
Fixed by: https://github.com/ruby/ruby/commit/47165eed264d357e78e27371cfef20d5c2bde5d9 (2.2.10)
ruby1.8: test examples from hackerone doesn't work. ext/socket/socket.c:init_unixsock() uses SafeStringValue(path) though.
Связанные уязвимости
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.
Уязвимость методов UNIXServer.open и UNIXSocket.open интерпретатора языка программирования Ruby, позволяющая нарушителю обойти ограничения безопасности