Posted by usa on 17 Oct 2018
In Array#pack and String#unpack with some formats, the tainted flags
of the original data are not propagated to the returned string/array.
This vulnerability has been assigned the CVE identifier
CVE-2018-16396.
Details
The Array#pack method converts the receiver’s contents into a string with
a specified format. If the receiver contains some tainted objects, the
returned string also should be tainted. The String#unpack method which
converts the receiver into an array also should propagate its tainted
flag to the objects contained in the returned array.
But, with the B, b, H, and h directives, the tainted flags are not
propagated. So, if a script processes unreliable inputs by Array#pack
and/or String#unpack with these directives and checks the reliability
with tainted flags, the check might be wrong.
All users running an affected release should upgrade immediately.
Affected Versions
- Ruby 2.3 series: 2.3.7 and earlier
- Ruby 2.4 series: 2.4.4 and earlier
- Ruby 2.5 series: 2.5.1 and earlier
- Ruby 2.6 series: 2.6.0-preview2 and earlier
- prior to trunk revision r65125
Credit
Thanks to Chris Seaton for reporting the issue.
History
- Originally published at 2018-10-17 14:00:00 (UTC)