CVE-2011-1005
First published: Sun Feb 20 2011(Updated: )
A security flaw was found in the Ruby method, translating message of the exception into string representation. An attacker could use this flaw to modify arbitrary untainted strings into their tainted equivalents by tricking the safe level mechanism of this method. References: [1] <a href="http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/">http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/</a> Upstream patch (against ruby_1_8 branch): [2] <a href="http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30903">http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30903</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ruby-lang Ruby | =1.8.6-420 | |
| Ruby-lang Ruby | =1.8.7-330 | |
| Ruby-lang Ruby | =1.8.7 | |
| Ruby-lang Ruby | =1.8.8-dev | |
| Ruby-lang Ruby | =1.8.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2011/02/21/2
- http://www.openwall.com/lists/oss-security/2011/02/21/5
- http://www.securityfocus.com/bid/46458
- http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
- https://bugzilla.redhat.com/show_bug.cgi?id=678920
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054422.html
- http://secunia.com/advisories/43420
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054436.html
- http://www.vupen.com/english/advisories/2011/0539
- http://osvdb.org/70957
- http://secunia.com/advisories/43573
- http://www.redhat.com/support/errata/RHSA-2011-0910.html
- http://www.redhat.com/support/errata/RHSA-2011-0908.html
- http://www.redhat.com/support/errata/RHSA-2011-0909.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:098
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:097
- http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
- http://support.apple.com/kb/HT5281
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30903
- https://access.redhat.com/security/cve/CVE-2011-1005
- https://rhn.redhat.com/errata/RHSA-2011-0908.html
- https://rhn.redhat.com/errata/RHSA-2011-0910.html
- https://rhn.redhat.com/errata/RHSA-2011-0909.html
- collector/nvd-historical
- collector/nvd-index
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-1005
- vendor/ruby-lang
- canonical/ruby-lang ruby
- version/ruby-lang ruby/1.8.6-420
- version/ruby-lang ruby/1.8.7-330
- version/ruby-lang ruby/1.8.7
- version/ruby-lang ruby/1.8.8-dev
- version/ruby-lang ruby/1.8.6