CVE-2012-4464
Priority
Medium
Description
Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows
context-dependent attackers to bypass safe-level restrictions and modify
untainted strings via the (1) exc_to_s or (2) name_err_to_s API function,
which marks the string as tainted, a different vulnerability than
CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005
regression.
context-dependent attackers to bypass safe-level restrictions and modify
untainted strings via the (1) exc_to_s or (2) name_err_to_s API function,
which marks the string as tainted, a different vulnerability than
CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005
regression.
References
Notes
mdeslaur> affects 1.9.3p0 and newer
Assigned-to
tyhicks
Package
| Upstream: | needed |
| Ubuntu 8.04 LTS (Hardy Heron): | ignored (reached end-of-life) |
| Ubuntu 10.04 LTS (Lucid Lynx): | not-affected |
| Ubuntu 11.10 (Oneiric Ocelot): | not-affected |
| Ubuntu 12.04 LTS (Precise Pangolin): | not-affected |
| Ubuntu 12.10 (Quantal Quetzal): | not-affected |
| Ubuntu 13.04 (Raring Ringtail): | not-affected |
Package
| Upstream: | needs-triage |
| Ubuntu 8.04 LTS (Hardy Heron): | not-affected |
| Ubuntu 10.04 LTS (Lucid Lynx): | not-affected |
| Ubuntu 11.10 (Oneiric Ocelot): | DNE |
| Ubuntu 12.04 LTS (Precise Pangolin): | DNE |
| Ubuntu 12.10 (Quantal Quetzal): | DNE |
| Ubuntu 13.04 (Raring Ringtail): | DNE |
Package
| Upstream: | needs-triage |
| Ubuntu 8.04 LTS (Hardy Heron): | DNE |
| Ubuntu 10.04 LTS (Lucid Lynx): | not-affected (1.9.1.378-1) |
| Ubuntu 11.10 (Oneiric Ocelot): | not-affected (1.9.2.290-2) |
| Ubuntu 12.04 LTS (Precise Pangolin): | released (1.9.3.0-1ubuntu2.3) |
| Ubuntu 12.10 (Quantal Quetzal): | released (1.9.3.194-1ubuntu1.1) |
| Ubuntu 13.04 (Raring Ringtail): | released (1.9.3.194-1ubuntu1.1) |
Patches:
| Upstream: | http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 (first 2 hunks of error.c diff) |