mailing list archives
Re: CVE request: ruby file creation due in insertion of illegal NUL character
From: Matthias Weckbecker <mweckbecker () suse de>
Date: Tue, 16 Oct 2012 14:40:10 +0200
On Friday 12 October 2012 22:50:41 Vincent Danen wrote:
Just noticed this today on ruby's web site:
The fix is located here:
I don't see a CVE name associated with the announcement or commit, so
I don't believe one has been assigned.
Technically, this would also apply to Perl (at least with 5.12.3). Or am I
missing the point?
$ perl -we 'open $fh, "+>", "perl\0foo"; print $fh "x"x2; close $fh'
$ ls perl
If the third parameter is double-quoted. I wouldn't call it a vulnerability
though. Just wanted to note it.
Matthias Weckbecker, Senior Security Engineer, SUSE Security Team
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany
Tel: +49-911-74053-0; http://suse.com/
SUSE LINUX Products GmbH, GF: Jeff Hawn, HRB 16746 (AG Nuernberg)