Skip to content

Latest commit

 

History

History
120 lines (93 loc) · 7.93 KB

security.md

File metadata and controls

120 lines (93 loc) · 7.93 KB

Security

If you find a vulnerability in TruffleRuby, please report it to [email protected] and CC [email protected].

MRI Vulnerabilities

Vulnerabilities reported against MRI may apply to the design of Ruby or to code that we share with MRI. We list reported MRI vulnerabilities here and document how MRI has mitigated the vulnerability, if the mitigation is tested by anything, and how TruffleRuby has mitigated.

Note that todo means we just haven't researched and filled the details in yet - not that we either believe TruffleRuby is vulnerable or not.

Cross-reference with the details on the MRI website https://www.ruby-lang.org/en/security/.

Number Description Their Mitigation Test Our Mitigation
CVE-2018-6914 Unintentional file and directory creation with directory traversal in tempfile and tmpdir Sanitation of paths Tested in ruby/spec :security Sanitation of paths
CVE-2018-8779 Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket Check for NUL bytes Tested in ruby/spec :security Check for NUL bytes
CVE-2018-8780 Unintentional directory traversal by poisoned NUL byte in Dir Check for NUL bytes Tested in ruby/spec :security Check for NUL bytes
CVE-2018-8777 DoS by large request in WEBrick Logic for header length Tested in MRI test/webrick/test_httpserver.rb Sanitation of paths
CVE-2017-17742 HTTP response splitting in WEBrick Logic for invalid headers Tested in ruby/spec :security Sanitation of paths
CVE-2018-8778 Buffer under-read in String#unpack A range check Tested in ruby/spec :security A range check
CVE-2017-17405 Command injection vulnerability in Net::FTP todo todo todo
CVE-2017-10784 Escape sequence injection vulnerability in the Basic authentication of WEBrick todo todo todo
CVE-2017-0898 Buffer underrun vulnerability in Kernel.sprintf todo todo todo
CVE-2017-14033 Buffer underrun vulnerability in OpenSSL ASN1 decode todo todo todo
CVE-2017-14064 Heap exposure vulnerability in generating JSON todo todo todo
CVE-2017-0902, CVE-2017-0899, CVE-2017-0900, CVE-2017-0901 Multiple vulnerabilities in RubyGems todo todo todo
CVE-2015-7551 Unsafe tainted string usage in Fiddle and DL todo todo todo
CVE-2015-1855 Ruby OpenSSL Hostname Verification todo todo todo
CVE-2014-8090 Another Denial of Service XML Expansion todo todo todo
CVE-2014-8080 Denial of Service XML Expansion todo Tested in ruby/spec :security todo
None Changed default settings of ext/openssl todo todo todo
CVE-2014-2734 Dispute of Vulnerability todo todo todo
CVE-2014-0160 OpenSSL Severe Vulnerability in TLS Heartbeat Extension todo todo todo
CVE-2014-2525 Heap Overflow in YAML URI Escape Parsing todo todo todo
CVE-2013-4164 Heap Overflow in Floating Point Parsing todo Tested in ruby/spec :security todo
CVE-2013-4073 Hostname check bypassing vulnerability in SSL client todo todo todo
CVE-2013-2065 Object taint bypassing in DL and Fiddle in Ruby todo todo todo
CVE-2013-1821 Entity expansion DoS vulnerability in REXML todo todo todo
CVE-2013-0269 Denial of Service and Unsafe Object Creation Vulnerability in JSON todo todo todo
CVE-2013-0256 XSS exploit of RDoc documentation generated by rdoc todo todo todo
CVE-2012-5371 Hash-flooding DoS vulnerability for ruby 1.9 todo todo todo
CVE-2012-4522 Unintentional file creation caused by inserting a illegal NUL character todo todo todo
CVE-2012-4464, CVE-2012-4466 $SAFE escaping vulnerability about Exception#to_s / NameError#to_s todo todo todo
None Security Fix for RubyGems: SSL server verification failure for remote repository todo todo todo
CVE-2011-3389 Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack todo todo todo
CVE-2011-4815 Denial of service attack was found for Ruby's Hash algorithm (cross-reference CVE-2011-4838, CVE-2012-5370, CVE-2012-5372) Hashes are made non-deterministic by incorporating process start time Tested in ruby/spec :security Hashes are made non-deterministic by incorporating a seed from /dev/random
None Exception methods can bypass $SAFE todo todo todo
None FileUtils is vulnerable to symlink race attacks todo todo todo
CVE-2010-0541 XSS in WEBrick todo todo todo
None Buffer over-run in ARGF.inplace_mode= todo todo todo
None WEBrick has an Escape Sequence Injection vulnerability todo todo todo
CVE-2009-4124 Heap overflow in String todo todo todo
None DoS vulnerability in BigDecimal todo todo todo
None DoS vulnerability in REXML todo todo todo
CVE-2008-1447 Multiple vulnerabilities in Ruby todo todo todo
CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726, CVE-2008-2664, CVE-2008-1891 Arbitrary code execution vulnerabilities todo todo todo
None File access vulnerability of WEBrick todo todo todo
None Net::HTTPS Vulnerability todo todo todo
JVN#84798830 Another DoS Vulnerability in CGI Library todo todo todo
CVE-2006-5467 DoS Vulnerability in CGI Library todo todo todo
VU#160012 Ruby vulnerability in the safe level settings todo todo todo

JRuby Vulnerabilities

TruffleRuby uses code from JRuby, so vulnerabilities reported against JRuby may apply to TruffleRuby.

Number Description Their Mitigation Test Our Mitigation
CVE-2012-5370 JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2011-4838, CVE-2012-5372) Hashes are made non-deterministic by incorporating process start time Tested in ruby/spec :security Hashes are made non-deterministic by incorporating a seed from /dev/random
CVE-2011-4838 JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2012-5370, CVE-2012-5372) Hashes are made non-deterministic by incorporating process start time Tested in ruby/spec :security Hashes are made non-deterministic by incorporating a seed from /dev/random
CVE-2010-1330 The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character todo todo todo

Rubinius Vulnerabilities

TruffleRuby uses code from Rubinius, so vulnerabilities reported against Rubinius may apply to TruffleRuby.

Number Description Their Mitigation Test Our Mitigation
CVE-2012-5372 Rubinius computes hash values without properly restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2011-4838, CVE-2012-5370) Hashes are made non-deterministic by incorporating output from /dev/urandom Tested in ruby/spec :security Hashes are made non-deterministic by incorporating a seed from /dev/random

Java Dependency Vulnerabilities

JONI

We are not aware of any known vulnerabilities.

JCodings

We are not aware of any known vulnerabilities.

Other Dependency Vulnerabilities

zlib

We are not aware of any known vulnerabilities, but consider potential vulnerabilities in your system zlib.

libssl

Consider potential vulnerabilities in your system libssl.

FFI

We are not aware of any known vulnerabilities.

Notes on hashing

TruffleRuby uses MurmurHash2 hashing with a seed from Java's SecureRandom (probably /dev/random) - it cannot be configured to use any other hashing algorithm. For hashing strings we use Java's hash algorithm (and then MurmurHash2 on top).