CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?

Posted by mame on 1 Oct 2019

A NUL injection vulnerability of Ruby built-in methods (File.fnmatch and File.fnmatch?) was found. An attacker who has the control of the path pattern parameter could exploit this vulnerability to make path matching pass despite the intention of the program author. CVE-2019-15845 has been assigned to this vulnerability.

Details

Built-in methods File.fnmatch and its alias File.fnmatch? accept the path pattern as their first parameter. When the pattern contains NUL character (\0), the methods recognize that the path pattern ends immediately before the NUL byte. Therefore, a script that uses an external input as the pattern argument, an attacker can make it wrongly match a pathname that is the second parameter.

All users running any affected releases should upgrade as soon as possible.

Affected Versions

• All releases that are Ruby 2.3 or earlier
• Ruby 2.4 series: Ruby 2.4.7 or earlier
• Ruby 2.5 series: Ruby 2.5.6 or earlier
• Ruby 2.6 series: Ruby 2.6.4 or earlier
• Ruby 2.7.0-preview1
• prior to master commit a0a2640b398cffd351f87d3f6243103add66575b

Acknowledgement

Thanks to ooooooo_q for discovering this issue.

History

• Originally published at 2019-10-01 11:00:00 (UTC)