Red Hat Bugzilla – Bug 458948
CVE-2008-3655 ruby: multiple insufficient safe mode restrictions
Last modified: 2011-10-27 09:33:31 EDT
Description of problem:
Ruby upstream has announced multiple security vulnerabilities
related with not proper Ruby access restriction to critical
variables and methods at various safe levels:
a, untrace_var is permitted at safe level 4.
b, $PROGRAM_NAME may be modified at safe level 4.
Doesn't Affect: rhel-2.1->rhel-4.8
Affects: rhel-5.2.z, rhel-5.3
Proposed patch: ?
c, Insecure methods may be called at safe level 1-3
d, Syslog operations are permitted at safe level 4.
Version-Release number of selected component (if applicable):
All versions of the Ruby package as shipped with Red Hat Enterprise Linux
2.1, 3, 4 and 5.
Steps to Reproduce:
Additional info -- public mention of this issue:
*** Bug 458789 has been marked as a duplicate of this bug. ***
d. doesn't affect rhel2.1 - syslog module was available since 1.6.6 and we have shipped 1.6.4 for rhel2.1. FYI.
ruby-126.96.36.1997-2.fc8 has been submitted as an update for Fedora 8.
ruby-188.8.131.527-2.fc9 has been submitted as an update for Fedora 9.
ruby-184.108.40.2067-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
ruby-220.127.116.117-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: