Bug #8750: unit test fix for CVE-2013-4073 seems to be incomplete - Ruby master - Ruby Issue Tracking System

Actions

Copy link

Bug #8750

closed

unit test fix for CVE-2013-4073 seems to be incomplete

Added by terceiro (Antonio Terceiro) over 10 years ago. Updated over 10 years ago.

Status:

Closed

Assignee:

Target version:

ruby -v:

trunk

Backport:

1.9.3: DONE, 2.0.0: DONE

[ruby-core:56437]

Description

Hello, I was just testing some Ruby versions against vulnerability against Hostname check bypassing vulnerability in SSL client (CVE-2013-4073), and it looks like the unit test added together with the fix for that issue passes even without that patch applied.

I noticed that the tampered input is using single quotes, as in
'www.example.com\0.evil.com'

I could only make those tests fail when I switched the single quotes into single quotes. This should probably apply to 1.9.3 andn 2.0.0 as well.

Files

8750.patch (1.39 KB) 8750.patch

terceiro (Antonio Terceiro), 08/08/2013 05:43 AM

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Like0

Like0Like0Like0Like0Like0

Project

General

Profile

Ruby » Ruby master

Custom queries

Bug #8750

unit test fix for CVE-2013-4073 seems to be incomplete

Updated by terceiro (Antonio Terceiro) over 10 years ago

Updated by Anonymous over 10 years ago

Updated by nagachika (Tomoyuki Chikanaga) over 10 years ago

Updated by nagachika (Tomoyuki Chikanaga) over 10 years ago

Updated by usa (Usaku NAKAMURA) over 10 years ago