Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE request: ruby file creation due in insertion of illegal NUL character
From: Matthias Weckbecker <mweckbecker () suse de>
Date: Tue, 16 Oct 2012 14:40:10 +0200

On Friday 12 October 2012 22:50:41 Vincent Danen wrote:
Just noticed this today on ruby's web site:


The fix is located here:


I don't see a CVE name associated with the announcement or commit, so
I don't believe one has been assigned.

Technically, this would also apply to Perl (at least with 5.12.3). Or am I
missing the point?

  $ perl -we 'open $fh, "+>", "perl\0foo"; print $fh "x"x2; close $fh'
  $ ls perl

If the third parameter is double-quoted. I wouldn't call it a vulnerability 
though. Just wanted to note it.


Matthias Weckbecker, Senior Security Engineer, SUSE Security Team
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany
Tel: +49-911-74053-0;  http://suse.com/
SUSE LINUX Products GmbH, GF: Jeff Hawn, HRB 16746 (AG Nuernberg) 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]