Date: 15 October 2012
References: ESB-2013.0308
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0141
Ruby 1.9.3-p286 is released
15 October 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Ruby
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Create Arbitrary Files -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2012-4466 CVE-2012-4464
Member content until: Wednesday, November 14 2012
OVERVIEW
Multiple vulnerabilities have been fixed in Ruby 1.9.3-p286.
IMPACT
The following information is available from the vendor's website:
CVE-2012-4464, CVE-2012-4466:
"Vulnerabilities found for Exception#to_s, NameError#to_s, and
name_err_mesg_to_s() which is Ruby interpreter-internal API. A malicious
user code can bypass $SAFE check by utilizing one of those security
holes." [1]
(No CVE):
"A vulnerability was found that file creation routines can create
unintended files by strategically inserting NUL(s) in file paths." [2]
MITIGATION
Users should update to the latest version. [3]
REFERENCES
[1] $SAFE escaping vulnerability about Exception#to_s / NameError#to_s
(CVE-2012-4464, CVE-2012-4466)
http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/
[2] Unintentional file creation caused by inserting a illegal NUL
character
http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/
[3] Ruby 1.9.3-p286 is released
http://www.ruby-lang.org/en/news/2012/10/12/ruby-1-9-3-p286-is-released/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUHt5Le4yVqjM2NGpAQIVug/+NQg37fBXe2UsEKa7w976FJt1ZVBM3xJ/
t4yYZQU84uhd5/4zxdENfTzIkRT9TZyGPYBRudKdpYfO4q9v1zHGZqJWiaqUMQOQ
pDPivLH4AMZ98onDs/9ag2/n2yGg56LerMjmw+5Zvwqj7Ao/8buhK+ZgyUjdKkP0
95jydXfK/dgtov1JS/gPOgKs59BNtbFH5hMzV+zcwTntusyxscuT3h6vq6yuOpMn
Ii/Uhq9R3rwLhetkV2XlfALXfC68gwu00AlvVSDJXJwkWjK+rfTL/5HWRgCr+3d9
jzLfO3CkqQW8bEpo8XxcrD9G0yq4lydSMrOct/uc1Y8aa5sKTnk4x6vM6YbJByrL
BAf7zqgfLMzmumMZtaf2UQau6vFv8B3MBPBu0SCZcCj7p2Ll+WDnLKTLsxprpRjU
olqdzreUb0TTP4CB9uKopMbiyYyA6d5dkpst9UzjwFB89cfVSFaVV6VAlRrCJ7QF
tn14GER4GwDf/BFl+83gkutUcWHc3b5Q/OUkkeIi7obWCqYJwyRSsE5UeQETQpdY
6wydKVcpn4zQvnc068l3Hw/LPqjj9r/IsttkNGh/BxtfFxq0G79dFBNDrmKnVN/i
yRbye+0r1sd2FBSkz1vb3ePN2elofEjkKDctxTsaPK7EEu1J8BdmjeT+TIDzq9yZ
FINFUOWsYS4=
=fDTt
-----END PGP SIGNATURE-----
|