Bug 862598 (CVE-2012-4464) - CVE-2012-4464 ruby 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
Summary: CVE-2012-4464 ruby 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
Alias: CVE-2012-4464
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 839530 862907 863315 904020
Blocks: 767033
TreeView+ depends on / blocked
Reported: 2012-10-03 10:59 UTC by Jan Lieskovsky
Modified: 2021-02-23 13:45 UTC (History)
9 users (show)

Fixed In Version: ruby 1.9.3p286
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-10-28 21:18:03 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0582 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Enterprise 1.1.1 update 2013-03-01 00:05:18 UTC

Description Jan Lieskovsky 2012-10-03 10:59:07 UTC
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1005 to the following vulnerability:

The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.

Later it was reported:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689075
[2] http://www.openwall.com/lists/oss-security/2012/10/02/4

that upstream ruby 1.9.1 and ruby 1.9.3 versions are also vulnerable to this flaw.

Relevant upstream patch:
[3] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068

Comment 1 Jan Lieskovsky 2012-10-03 11:01:16 UTC
Upstream public reproducer for the CVE-2011-1005 issue (from:

$secret_path = "foo"

proc do
    $SAFE = 4
    $secret_path.replace "/etc/passwd"

open($secret_path) do

which can be used to test presence of the issue.

Comment 2 Jan Lieskovsky 2012-10-03 11:05:24 UTC
This issue did NOT affect the versions of the ruby package, as shipped with Red Hat Enterprise Linux 5 and 6 (refer to bug #678920 for further information about this flaw in ruby 1.8.x and earlier versions).


This issue did NOT affect the version of the ruby package, as shipped with Fedora release of 16.


This issue affects the version of the ruby package, as shipped with Fedora 17. Please schedule an update.

Comment 3 Vincent Danen 2012-10-03 20:49:51 UTC
Based on comments reported to oss-sec, there are actually two issues here:

1) CVE-2011-1005 was never reported to affect ruby 1.9.x, but it was later introduced (or re-introduced) on trunk, via r29456.  So ruby 1.9.3-p0 and later is affected by the same flaw that was assigned CVE-2011-1005 in 1.8.x (it's been assigned the name CVE-2012-4464)

2) The name_err_mesg_to_str() function has a similar flaw, and it affects both 1.8.x and 1.9.3-p0 and later.  This was assigned the name CVE-2012-4466.

CVE assignments and explanations:


We'll keep this bug for CVE-2012-4464, and bug #862906 for CVE-2012-4466.

Comment 4 Vincent Danen 2012-10-03 20:53:14 UTC

Not vulnerable. This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6 as they did not provide version 1.9.x, which is the vulnerable version of ruby.

Comment 5 Jan Lieskovsky 2012-10-04 08:57:01 UTC
Created ruby tracking bugs for this issue

Affects: fedora-all [bug 862907]

Comment 8 errata-xmlrpc 2013-02-28 19:08:12 UTC
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html

Note You need to log in before you can comment on or make changes to this bug.