A security flaw was found in the Ruby method, translating message of the exception into string representation. An attacker could use this flaw to modify arbitrary untainted strings into their tainted equivalents by tricking the safe level mechanism of this method. References: [1] http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/ Upstream patch (against ruby_1_8 branch): [2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30903
This issue affects the versions of the ruby package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the ruby package, as shipped with Fedora release of 13. Particular ruby package update for Fedora release of 14 has been already scheduled. Upon testing phase, it will be pushed to Fedora 14 stable repository.
CVE Request: [3] http://www.openwall.com/lists/oss-security/2011/02/21/2
The CVE identifier of CVE-2011-1005 has been assigned to this issue: [4] http://www.openwall.com/lists/oss-security/2011/02/21/5
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:0908 https://rhn.redhat.com/errata/RHSA-2011-0908.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0910 https://rhn.redhat.com/errata/RHSA-2011-0910.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0909 https://rhn.redhat.com/errata/RHSA-2011-0909.html
Statement: (none)