Bugzilla – Bug 880899
VUL-0: CVE-2012-4481: ruby: NameError#to_s problem
Last modified: 2014-06-02 15:33:01 UTC
public, via bug 673750, incomplete fix for CVE-2011-1005 The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4481 MLIST:[oss-security] 20121005 Re: CVE Request -- ruby (1.8.x with patched CVE-2011-1005): Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects http://www.openwall.com/lists/oss-security/2012/10/05/4 https://bugzilla.redhat.com/show_bug.cgi?id=863484
Marcus, did we fix this?
1. our error.c file matches the upstream error.c file in the 1.8.7 branch 2. the upstream 1.9.3 and newer branches also removed: if (OBJ_TAINTED(obj)) OBJ_TAINT(mesg); the question would be if it was forgotten to change upstream or if it was left in intentionally. Does this help?
ruby-1.8.7_safe_level_bypass.patch in SUSE:SLE-11-SP1:Update:Test/ruby contains the fix for this. (removing OBJ_INFECT(str, mesg)) the changes has a different CVE number though (that was fixed in the ruby 1.8.7 snapshot we inluded already). It was not released into the SLE11 SP1 LTSS codebase yet. SLE11 SP2 and later are fixed.
basically fixed by 783525 already. *** This bug has been marked as a duplicate of bug 783525 ***