An upstream Ruby security notice [1] indicated that ruby suffered from a flaw where unintended files could be created if they contained a NUL characer in the file path or name. Certain methods like IO#open did not check the filename passed to them, and just passed those strings to lower layer routines, which could lead to unintentional files being created, as demonstrated: p File.exists?("foo") #=> false open("foo\0bar", "w") { |f| f.puts "hai" } p File.exists?("foo") #=> true p File.exists?("foo\0bar") #=> raises ArgumentError Upstream indicates that ruby 1.9.3 prior to patchlevel 286 is vulnerable. An upstream patch is available [2]. [1] http://preview.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/ [2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37163
This was assigned the name CVE-2012-4522: http://seclists.org/oss-sec/2012/q4/72
Created ruby tracking bugs for this issue Affects: fedora-all [bug 866567]
ruby-1.9.3.286-19.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This issue did not affect the version of ruby as shipped with Fedora-16. This issue was fixed in Fedora-17, via the following security advisory: https://admin.fedoraproject.org/updates/FEDORA-2012-16086/ruby-1.9.3.286-18.fc17
ruby-1.9.3.286-18.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0129 https://rhn.redhat.com/errata/RHSA-2013-0129.html
Statement: This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 6.
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html