Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 437264 (CVE-2012-4464) - <dev-lang/ruby-{1.8.7_p371,1.9.3_p392}: safe level bypass (CVE-2012-{4464,4466})
Summary: <dev-lang/ruby-{1.8.7_p371,1.9.3_p392}: safe level bypass (CVE-2012-{4464,4466})
Status: RESOLVED FIXED
Alias: CVE-2012-4464
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: A4 [noglsa]
Keywords:
Depends on: CVE-2012-4481 CVE-2013-0269
Blocks:
  Show dependency tree
 
Reported: 2012-10-05 08:21 UTC by Hans de Graaff
Modified: 2013-10-07 09:52 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2012-10-05 08:21:57 UTC
"Dear Maintainer,

While running some regression tests I discovered that 1.9.3.194-1 is
vulnerable to CVE-2011-1005, despite the Ruby advisory stating
otherwise:

http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/

You can use the reproducer in the advisory for verification. Just do a
'puts $secret_path' rather than the 'open($secret_path)' block."

Fixed with 
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-15 01:22:58 UTC
CVE request and assignment:

http://www.openwall.com/lists/oss-security/2012/10/03/9
Comment 2 Hans de Graaff gentoo-dev 2012-10-15 12:20:46 UTC
dev-lang/ruby-1.9.3_p286 with a fix for this is now in the tree.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-16 21:04:07 UTC
(In reply to comment #2)
> dev-lang/ruby-1.9.3_p286 with a fix for this is now in the tree.

Thanks. For the 1.8 slot, this should be fixed in 1.8.7-p371. Could you please bump that slot too (preferably with a version that also satisfies bug 437366)?
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-16 11:35:21 UTC
GLSA vote: yes.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-04-26 11:04:58 UTC
CVE-2012-4466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4466):
  Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0
  before revision r37068 allows context-dependent attackers to bypass
  safe-level restrictions and modify untainted strings via the
  name_err_mesg_to_str API function, which marks the string as tainted, a
  different vulnerability than CVE-2011-1005.

CVE-2012-4464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4464):
  Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows
  context-dependent attackers to bypass safe-level restrictions and modify
  untainted strings via the (1) exc_to_s or (2) name_err_to_s API function,
  which marks the string as tainted, a different vulnerability than
  CVE-2012-4466.  NOTE: this issue might exist because of a CVE-2011-1005
  regression.
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-29 17:28:18 UTC
GLSA vote: no.
Comment 7 Sergey Popov gentoo-dev 2013-10-07 09:52:50 UTC
GLSA vote: no

Closing as noglsa