Posted by mame on 1 Oct 2019
A NUL injection vulnerability of Ruby built-in methods (
File.fnmatch?) was found. An attacker who has the control of the path pattern parameter could exploit this vulnerability to make path matching pass despite the intention of the program author.
CVE-2019-15845 has been assigned to this vulnerability.
File.fnmatch and its alias
File.fnmatch? accept the path pattern as their first parameter. When the pattern contains NUL character (
\0), the methods recognize that the path pattern ends immediately before the NUL byte. Therefore, a script that uses an external input as the pattern argument, an attacker can make it wrongly match a pathname that is the second parameter.
All users running any affected releases should upgrade as soon as possible.
- All releases that are Ruby 2.3 or earlier
- Ruby 2.4 series: Ruby 2.4.7 or earlier
- Ruby 2.5 series: Ruby 2.5.6 or earlier
- Ruby 2.6 series: Ruby 2.6.4 or earlier
- Ruby 2.7.0-preview1
- prior to master commit a0a2640b398cffd351f87d3f6243103add66575b
Thanks to ooooooo_q for discovering this issue.
- Originally published at 2019-10-01 11:00:00 (UTC)