Red Hat Bugzilla – Bug 862598
CVE-2012-4464 ruby 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
Last modified: 2014-10-29 08:13:22 EDT
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1005 to the following vulnerability:
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
Later it was reported:
that upstream ruby 1.9.1 and ruby 1.9.3 versions are also vulnerable to this flaw.
Relevant upstream patch:
Upstream public reproducer for the CVE-2011-1005 issue (from:
$secret_path = "foo"
$SAFE = 4
which can be used to test presence of the issue.
This issue did NOT affect the versions of the ruby package, as shipped with Red Hat Enterprise Linux 5 and 6 (refer to bug #678920 for further information about this flaw in ruby 1.8.x and earlier versions).
This issue did NOT affect the version of the ruby package, as shipped with Fedora release of 16.
This issue affects the version of the ruby package, as shipped with Fedora 17. Please schedule an update.
Based on comments reported to oss-sec, there are actually two issues here:
1) CVE-2011-1005 was never reported to affect ruby 1.9.x, but it was later introduced (or re-introduced) on trunk, via r29456. So ruby 1.9.3-p0 and later is affected by the same flaw that was assigned CVE-2011-1005 in 1.8.x (it's been assigned the name CVE-2012-4464)
2) The name_err_mesg_to_str() function has a similar flaw, and it affects both 1.8.x and 1.9.3-p0 and later. This was assigned the name CVE-2012-4466.
CVE assignments and explanations:
We'll keep this bug for CVE-2012-4464, and bug #862906 for CVE-2012-4466.
Not vulnerable. This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6 as they did not provide version 1.9.x, which is the vulnerable version of ruby.
Created ruby tracking bugs for this issue
Affects: fedora-all [bug 862907]
This issue has been addressed in following products:
RHEL 6 Version of OpenShift Enterprise
Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html