From: "terceiro (Antonio Terceiro)" <terceiro@...>
Date: 2013-08-08T05:43:55+09:00
Subject: [ruby-core:56438] [ruby-trunk - Bug #8750] unit test fix for	CVE-2013-4073 seems to be incomplete


Issue #8750 has been updated by terceiro (Antonio Terceiro).

File 8750.patch added

This should fix the issue.
----------------------------------------
Bug #8750: unit test fix for CVE-2013-4073 seems to be incomplete
https://bugs.ruby-lang.org/issues/8750#change-40976

Author: terceiro (Antonio Terceiro)
Status: Open
Priority: Normal
Assignee: 
Category: 
Target version: 
ruby -v: trunk
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


Hello, I was just testing some Ruby versions against vulnerability against Hostname check bypassing vulnerability in SSL client (CVE-2013-4073), and it looks like the unit test added together with the fix for that issue passes even without that patch applied.

I noticed that the tampered input is using single quotes, as in
'www.example.com\0.evil.com'

I could only make those tests fail when I switched the single quotes into single quotes. This should probably apply to 1.9.3 andn 2.0.0 as well.


-- 
http://bugs.ruby-lang.org/
_______________________________________________
ruby-core mailing list
ruby-core@ruby-lang.org
http://lists.ruby-lang.org/cgi-bin/mailman/listinfo/ruby-core