Home page logo

oss-sec logo oss-sec mailing list archives

CVE Request: Ruby safe level bypasses
From: Tyler Hicks <tyhicks () canonical com>
Date: Tue, 2 Oct 2012 15:32:15 -0700

Hello - Upstream Ruby has fixed[1] exception methods that incorrectly
allowed safe level bypasses. These bypasses allowed untainted strings to
be modified by untrusted code in safe level 4.

Note that the changes to exc_to_s() and name_err_to_s(), in error.c, are
similar to the fix for CVE-2011-1005, but the Ruby advisory[2] made it
clear that Ruby 1.9.x was not affected by CVE-2011-1005. It turns out
that the vulnerability was later reintroduced to Ruby's trunk in
revision 29456. Ruby 1.9.3-p0 and later is affected.

While Shugo Maeda was fixing the issue above, he noticed that
name_err_mesg_to_str() had a similar flaw. Ruby 1.8.x, along with
1.9.3-p0 and later is affected.

I believe that these issues need two separate CVEs. Both issues are
fixed in the same upstream patch[1]. Could you please allocate ids?


[1] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
[2] http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/

Attachment: signature.asc
Description: Digital signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]