From ${URL} : Description A vulnerability has been reported in Ruby, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to the DL and Fiddle modules not properly verifying the $SAFE level when handling certain objects and can be exploited to pass tainted strings to system calls. The vulnerability is reported in the following versions: * All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 426 * All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 195 Solution Update to version 1.9.3 patchlevel 426 or 2.0.0 patchlevel 195. Provided and/or discovered by The vendor credits Vit Ondruch. Original Advisory http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/ @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
I've just added ruby 1.9.3 p492. Given that there are also other bug fixes and changes, I would suggest to hold off stabilization for a few days to see if any issues surface.
I haven't seen any regressions, so let's go ahead and mark this version stable. =dev-lang/ruby-1.9.3_p429
Arches, please test and mark stable: =dev-lang/ruby-1.9.3_p429 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
arm stable
sparc stable
alpha stable
ia64 stable
ppc64 stable
s390 stable
sh stable
GLSA vote: no.
CVE-2013-2065 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2065): (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.
GLSA vote: no. Closing as [noglsa]
