Summary: | <dev-lang/ruby-{1.8.7_p331, 1.9.2_p137}: Multiple vulnerabilities (CVE-2011-{1004,1005}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ruby |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://www.ruby-lang.org/en/news/2011/02/18/fileutils-is-vulnerable-to-symlink-race-attacks/ | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Hans de Graaff
2011-02-18 14:50:44 UTC
Second issue (1.8 only): Exception methods can bypass $SAFE Exception#to_s method can be used to trick $SAFE check, which makes a untrusted codes to modify arbitrary strings. I'll see to bump at least 1.8.7 (in stable) tonight Arches, please test and mark stable: =dev-lang/ruby-1.8.7_p334 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Stable for HPPA. amd64 works! amd64 done. Thanks Agostino ppc/ppc64 stable x86 stable CVE assignment per http://www.openwall.com/lists/oss-security/2011/02/21/5: (In reply to comment #0) > A symlink race condition vulnerability was found in > FileUtils.remove_entry_secure. The vulnerability allows local users to delete > arbitrary files and directories. > CVE-2011-1004 (In reply to comment #1) > Second issue (1.8 only): > Exception methods can bypass $SAFE > Exception#to_s method can be used to trick $SAFE check, which makes a untrusted > codes to modify arbitrary strings. > CVE-2011-1005 alpha/arm/ia64/s390/sh stable Thanks, everyone. GLSA request filed. CVE-2011-1005 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1005): The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. CVE-2011-1004 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1004): The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack. This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle). |