CVE-2013-2065

Priority
Low
Description
(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0
before 2.0.0 patchlevel 195, do not perform taint checking for native
functions, which allows context-dependent attackers to bypass intended
$SAFE level restrictions.
References
Notes
mdeslaur> only affects 1.9+
Assigned-to
mdeslaur
Package
Upstream:not-affected
Ubuntu 10.04 LTS (Lucid Lynx):ignored (reached end-of-life)
Ubuntu 12.04 LTS (Precise Pangolin):not-affected
Ubuntu 12.10 (Quantal Quetzal):not-affected
Ubuntu 13.04 (Raring Ringtail):not-affected
Ubuntu 13.10 (Saucy Salamander):not-affected
Ubuntu 14.04 LTS (Trusty Tahr):not-affected
Package
Upstream:released (1.9.3.426)
Ubuntu 10.04 LTS (Lucid Lynx):ignored (reached end-of-life)
Ubuntu 12.04 LTS (Precise Pangolin):released (1.9.3.0-1ubuntu2.8)
Ubuntu 12.10 (Quantal Quetzal):released (1.9.3.194-1ubuntu1.6)
Ubuntu 13.04 (Raring Ringtail):released (1.9.3.194-8.1ubuntu1.2)
Ubuntu 13.10 (Saucy Salamander):released (1.9.3.194-8.1ubuntu2.1)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (1.9.3.448-1ubuntu1)
Patches:
Upstream:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=40732 (1.9.x)
Upstream:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=40728 (trunk + test)
Package
Upstream:released (2.0.0.195)
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Ubuntu 12.10 (Quantal Quetzal):DNE
Ubuntu 13.04 (Raring Ringtail):DNE
Ubuntu 13.10 (Saucy Salamander):not-affected (2.0.0.299-2)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (2.0.0.343-1)
More Information

Valid XHTML 1.0 Strict

Updated: 2013-11-27 18:14:41 UTC (commit 7488)