Bug 783511 (CVE-2012-4464) - VUL-1: CVE-2012-4464: ruby19: bypass of $SAFE semantics
Summary: VUL-1: CVE-2012-4464: ruby19: bypass of $SAFE semantics
Status: RESOLVED FIXED
Alias: CVE-2012-4464
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Deadline: 2013-03-06
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:51302:moderate maint:r...
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-04 11:17 UTC by Matthias Weckbecker
Modified: 2015-02-19 03:20 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-10-04 11:17:42 UTC 
CVE-2011-1005 has already been issued because of this vulnerability for ruby
1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330 as well as 1.8.8dev, but it
turned out this also affects 1.9 now.

Further information:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689075
  http://www.openwall.com/lists/oss-security/2012/10/02/4
Comment 1 Matthias Weckbecker 2012-10-04 11:21:55 UTC 
We have an affected version of ruby (1.9.3 ) on the following products:

  * openSUSE:12.2

Plus SUSE:Factory:Head and openSUSE:Factory

Note: This does not affect any current version of SUSE Linux Enterprise.
Comment 2 Matthias Weckbecker 2012-10-04 11:32:28 UTC 
Upstream patch:

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
Comment 3 Marcus Rückert 2012-10-26 14:12:17 UTC 
To the studio team for fixing the copy in studio onsite.
Comment 5 Bernhard Wiedemann 2012-10-26 15:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (783511) was mentioned in
https://build.opensuse.org/request/show/139454 Factory / ruby19
Comment 6 Swamp Workflow Management 2012-11-05 16:08:46 UTC 
openSUSE-SU-2012:1443-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 783511,783525
CVE References: CVE-2012-4464,CVE-2012-4466
Sources used:
openSUSE 12.2 (src):    ruby19-1.9.3.p194-3.4.1
openSUSE 12.1 (src):    ruby-1.8.7.p357-2.6.1
openSUSE 11.4 (src):    ruby-1.8.7.p357-0.28.1
Comment 9 Bernhard Wiedemann 2013-02-08 14:00:16 UTC 
This is an autogenerated message for OBS integration:
This bug (783511) was mentioned in
https://build.opensuse.org/request/show/154919 Factory / ruby19
https://build.opensuse.org/request/show/154920 Maintenance /
Comment 10 Swamp Workflow Management 2013-02-20 10:12:18 UTC 
The SWAMPID for this issue is 51302.
This issue was rated as moderate.
Please submit fixed packages until 2013-03-06.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 11 Marcus Meissner 2013-02-21 14:51:30 UTC 
I think its all done now.
Comment 12 Swamp Workflow Management 2013-03-01 16:05:03 UTC 
openSUSE-SU-2013:0376-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 783511,789983,791199,802406
CVE References: CVE-2012-4464,CVE-2012-4466,CVE-2012-4522,CVE-2012-5371,CVE-2013-0256
Sources used:
openSUSE 12.2 (src):    ruby19-1.9.3.p385-3.18.1
Comment 13 Swamp Workflow Management 2013-04-09 13:37:32 UTC 
Update released for: ruby19, ruby19-debuginfo, ruby19-debugsource, ruby19-devel, ruby19-devel-extra, ruby19-doc-ri, ruby19-tk
Products:
SLE-STUDIOONSITE 1.3 (x86_64)