CVE Request: Ruby safe level bypasses

[Tyler Hicks <tyhicks () canonical com>]

Hello - Upstream Ruby has fixed[1] exception methods that incorrectly
allowed safe level bypasses. These bypasses allowed untainted strings to
be modified by untrusted code in safe level 4.

Note that the changes to exc_to_s() and name_err_to_s(), in error.c, are
similar to the fix for CVE-2011-1005, but the Ruby advisory[2] made it
clear that Ruby 1.9.x was not affected by CVE-2011-1005. It turns out
that the vulnerability was later reintroduced to Ruby's trunk in
revision 29456. Ruby 1.9.3-p0 and later is affected.

While Shugo Maeda was fixing the issue above, he noticed that
name_err_mesg_to_str() had a similar flaw. Ruby 1.8.x, along with
1.9.3-p0 and later is affected.

I believe that these issues need two separate CVEs. Both issues are
fixed in the same upstream patch[1]. Could you please allocate ids?

Thanks,
Tyler

[1] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
[2] http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/

Attachment: signature.asc
Description: Digital signature