CVE-2012-4466

Priority
Medium
Description
Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0
before revision r37068 allows context-dependent attackers to bypass
safe-level restrictions and modify untainted strings via the
name_err_mesg_to_str API function, which marks the string as tainted, a
different vulnerability than CVE-2011-1005.
References
Bugs
Notes
tyhicks> affects 1.8.x, as well as 1.9.3-p0 and newer
Assigned-to
tyhicks
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):ignored (reached end-of-life)
Ubuntu 10.04 LTS (Lucid Lynx):released (1.8.7.249-2ubuntu0.2)
Ubuntu 11.10 (Oneiric Ocelot):released (1.8.7.352-2ubuntu0.2)
Ubuntu 12.04 LTS (Precise Pangolin):released (1.8.7.352-2ubuntu1.1)
Ubuntu 12.10 (Quantal Quetzal):released (1.8.7.358-4ubuntu0.1)
Ubuntu 13.04 (Raring Ringtail):released (1.8.7.358-6ubuntu1)
Patches:
Upstream:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 (last hunk in error.c diff)
Package
Upstream:not-affected
Ubuntu 8.04 LTS (Hardy Heron):not-affected
Ubuntu 10.04 LTS (Lucid Lynx):not-affected
Ubuntu 11.10 (Oneiric Ocelot):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Ubuntu 12.10 (Quantal Quetzal):DNE
Ubuntu 13.04 (Raring Ringtail):DNE
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):not-affected
Ubuntu 11.10 (Oneiric Ocelot):not-affected (1.9.2.290-2)
Ubuntu 12.04 LTS (Precise Pangolin):released (1.9.3.0-1ubuntu2.3)
Ubuntu 12.10 (Quantal Quetzal):released (1.9.3.194-1ubuntu1.1)
Ubuntu 13.04 (Raring Ringtail):released (1.9.3.194-1ubuntu1.1)
Patches:
Upstream:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 (last hunk in error.c diff)
More Information

Valid XHTML 1.0 Strict

Updated: 2013-05-01 19:14:49 UTC (commit 6792)