oss-sec mailing list archives
CVE Request: Ruby safe level bypasses
From: Tyler Hicks <tyhicks () canonical com>
Date: Tue, 2 Oct 2012 15:32:15 -0700
Hello - Upstream Ruby has fixed[1] exception methods that incorrectly allowed safe level bypasses. These bypasses allowed untainted strings to be modified by untrusted code in safe level 4. Note that the changes to exc_to_s() and name_err_to_s(), in error.c, are similar to the fix for CVE-2011-1005, but the Ruby advisory[2] made it clear that Ruby 1.9.x was not affected by CVE-2011-1005. It turns out that the vulnerability was later reintroduced to Ruby's trunk in revision 29456. Ruby 1.9.3-p0 and later is affected. While Shugo Maeda was fixing the issue above, he noticed that name_err_mesg_to_str() had a similar flaw. Ruby 1.8.x, along with 1.9.3-p0 and later is affected. I believe that these issues need two separate CVEs. Both issues are fixed in the same upstream patch[1]. Could you please allocate ids? Thanks, Tyler [1] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 [2] http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE Request: Ruby safe level bypasses Tyler Hicks (Oct 02)
- Re: CVE Request: Ruby safe level bypasses Kurt Seifried (Oct 03)
- Re: CVE Request: Ruby safe level bypasses Tyler Hicks (Oct 03)
- Re: CVE Request: Ruby safe level bypasses Kurt Seifried (Oct 03)
- Re: CVE Request: Ruby safe level bypasses Tyler Hicks (Oct 03)
- Re: CVE Request: Ruby safe level bypasses Kurt Seifried (Oct 03)