CVE-2012-4522

Priority
Medium
Description
The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel
286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to
create files in unexpected locations or with unexpected names via a NUL
byte in a file path.
References
Notes
 sarnold> open("foo\0bar", "w") { |f| f.puts "hai" } # look for 'foo'
Assigned-to
tyhicks
Package
Upstream:needs-triage
Ubuntu 12.04 LTS (Precise Pangolin):not-affected (1.8.7.352-2ubuntu1.1 tested)
Package
Upstream:released (1.9.3 patchlevel 286)
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Package
Upstream:released (1.9.3 patchlevel 286)
Ubuntu 12.04 LTS (Precise Pangolin):released (1.9.3.0-1ubuntu2.4)
Patches:
Upstream:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37164 (1.9.3 branch)
More Information

Valid XHTML 1.0 Strict

Updated: 2015-07-29 20:40:57 UTC (commit 9756)