First published: Sun Feb 20 2011(Updated: )
A race condition was found in the way the secure implementation of Ruby fileutils' remove system entries method (remove_entry_secure()), removed directory trees. A local attacker could use this flaw to conduct symbolic link attacks, leading to removal of arbitrary files or directories on the system. References: [1] <a href="http://www.ruby-lang.org/en/news/2011/02/18/fileutils-is-vulnerable-to-symlink-race-attacks/">http://www.ruby-lang.org/en/news/2011/02/18/fileutils-is-vulnerable-to-symlink-race-attacks/</a> Upstream patch (against trunk): [2] <a href="http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30896">http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30896</a>
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Ruby-lang Ruby | =1.9.3-dev | |
Ruby-lang Ruby | =1.9.2 | |
Ruby-lang Ruby | =1.9.1 | |
Ruby-lang Ruby | =1.8.7 | |
Ruby-lang Ruby | =1.8.8-dev | |
Ruby-lang Ruby | =1.8.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.