Bug 783525 (CVE-2012-4466) - VUL-1: CVE-2012-4466: ruby: safe level bypass via name_err_mesg_to_str()
Summary: VUL-1: CVE-2012-4466: ruby: safe level bypass via name_err_mesg_to_str()
Status: RESOLVED FIXED
: CVE-2012-4481 (view as bug list)
Alias: CVE-2012-4466
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Deadline: 2013-03-06
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp1:51328 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-04 12:56 UTC by Matthias Weckbecker
Modified: 2014-06-25 17:05 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-10-04 12:56:11 UTC 
A similar flaw to CVE-2011-1005 was also found to be present in another method:
name_err_mesg_to_str().

Upstream patch:

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
Comment 1 Marcus Rückert 2012-10-29 12:52:38 UTC 
all submissions done
Comment 2 Swamp Workflow Management 2012-11-05 16:08:58 UTC 
openSUSE-SU-2012:1443-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 783511,783525
CVE References: CVE-2012-4464,CVE-2012-4466
Sources used:
openSUSE 12.2 (src):    ruby19-1.9.3.p194-3.4.1
openSUSE 12.1 (src):    ruby-1.8.7.p357-2.6.1
openSUSE 11.4 (src):    ruby-1.8.7.p357-0.28.1
Comment 3 Bernhard Wiedemann 2012-11-14 13:30:00 UTC 
This is an autogenerated message for OBS integration:
This bug (783525) was mentioned in
https://build.opensuse.org/request/show/141042
Comment 4 Swamp Workflow Management 2013-02-20 10:12:27 UTC 
The SWAMPID for this issue is 51302.
This issue was rated as moderate.
Please submit fixed packages until 2013-03-06.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 5 Swamp Workflow Management 2013-03-12 11:04:35 UTC 
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 6 Swamp Workflow Management 2013-03-12 13:15:21 UTC 
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 7 Marcus Meissner 2013-04-03 11:38:52 UTC 
released
Comment 8 Swamp Workflow Management 2013-04-03 14:26:17 UTC 
Update released for: ruby, ruby-debuginfo, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 9 Marcus Meissner 2014-06-02 15:32:32 UTC 
The fix is actually for CVE-2012-4481.

CVE-2012-4466 was fixed in SLE11 SP1 via the update to the 1.8.7.p357 version.
Comment 10 Marcus Meissner 2014-06-02 15:33:01 UTC 
*** Bug 880899 has been marked as a duplicate of this bug. ***
Comment 11 Swamp Workflow Management 2014-06-25 13:47:26 UTC 
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 12 Swamp Workflow Management 2014-06-25 17:05:10 UTC 
SUSE-SU-2014:0844-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 783525,808137,827265,851803
CVE References: CVE-2012-4481,CVE-2013-1821,CVE-2013-4073,CVE-2013-4164
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    ruby-1.8.7.p357-0.9.15.6