451382 – (CVE-2013-0175) <dev-ruby/multi_xml-0.5.2: params parsing vulnerabilities (CVE-2013-0175)

Bug 451382 (CVE-2013-0175) - <dev-ruby/multi_xml-0.5.2: params parsing vulnerabilities (CVE-2013-0175)

Summary: <dev-ruby/multi_xml-0.5.2: params parsing vulnerabilities (CVE-2013-0175)

Status:	RESOLVED FIXED

Alias:	CVE-2013-0175

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-01-11 10:35 UTC by Agostino Sarubbo
Modified:	2013-01-16 07:26 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-01-11 10:35:42 UTC

From $URL :

Apparently, the multi_xml ruby gem has the same issue as CVE-2013-0156.

Can a new CVE be assigned to track it specifically as well, or would
policy dictate that this issue be considered part of the original CVE?

https://gist.github.com/d7f6d9f4925f413621aa
https://github.com/sferik/multi_xml/pull/34
https://news.ycombinator.com/item?id=5040457

~reed

Comment 1 Hans de Graaff gentoo-dev

2013-01-11 12:32:47 UTC

multi_xml 0.5.2 is now in the tree.

Comment 2 Sean Amoss (RETIRED) gentoo-dev

2013-01-15 22:29:27 UTC

(In reply to comment #1)
> multi_xml 0.5.2 is now in the tree.

Thanks, Hans. Please don't forget to drop the vulnerable version.

Closing noglsa for ~arch only package.

Comment 3 Hans de Graaff gentoo-dev

2013-01-16 07:26:57 UTC

(In reply to comment #2)

> Thanks, Hans. Please don't forget to drop the vulnerable version.

Done.