A symlink race condition vulnerability was found in FileUtils.remove_entry_secure. The vulnerability allows local users to delete arbitrary files and directories.
Second issue (1.8 only): Exception methods can bypass $SAFE Exception#to_s method can be used to trick $SAFE check, which makes a untrusted codes to modify arbitrary strings. I'll see to bump at least 1.8.7 (in stable) tonight
Arches, please test and mark stable: =dev-lang/ruby-1.8.7_p334 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
amd64 works!
amd64 done. Thanks Agostino
ppc/ppc64 stable
x86 stable
CVE assignment per http://www.openwall.com/lists/oss-security/2011/02/21/5: (In reply to comment #0) > A symlink race condition vulnerability was found in > FileUtils.remove_entry_secure. The vulnerability allows local users to delete > arbitrary files and directories. > CVE-2011-1004 (In reply to comment #1) > Second issue (1.8 only): > Exception methods can bypass $SAFE > Exception#to_s method can be used to trick $SAFE check, which makes a untrusted > codes to modify arbitrary strings. > CVE-2011-1005
alpha/arm/ia64/s390/sh stable
Thanks, everyone. GLSA request filed.
CVE-2011-1005 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1005): The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. CVE-2011-1004 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1004): The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack.
This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle).