Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 02 Jul 2010 15:39:46 +0200
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
CC: oss-security <>
Subject: CVE Request [Microsoft Windows Ruby-v1.9.x] -- Buffer over-run leading
 to ACE

Hi Steve, vendors,

   Ruby upstream has released latest v1.9.1-p429, v1.9.2 RC1 versions, addressing one
   security issue, present on Microsoft Windows operating systems, where version of Ruby
   language is v1.9.x based:

Quoting from [1]:

<begin quote>

A security vulnerability that causes buffer overflow when you assign
a danger value to ARGF.inplace_mode on Windows. It possibly allows an
attacker to execute an arbitrary code.

The affected versions are:

     * Ruby 1.9.1 patchlevel 378 and all prior versions.
     * Ruby 1.9.2 preview 3 and all prior versions.
     * Development versions of Ruby 1.9 (1.9.3dev).

I recommend you to upgrade your ruby 1.9 to 1.9.1-p429 or 1.9.2-rc1.

The vulnerability does not directly affect to Ruby 1.8 series.

The vulnerability was found and reported by Masaya TARUI.

<end quote>

Though this not affecting the Linux version of Ruby, we will need a CVE identifier
for purpose of properly tracking is.

Steve, could you please allocate one?

Thanks && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ