Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 2 Jul 2010 14:59:27 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request [Microsoft Windows Ruby-v1.9.x] --
 Buffer over-run leading to ACE

Please use CVE-2010-2489

Thanks.

-- 
    JB


----- "Jan Lieskovsky" <jlieskov@...hat.com> wrote:

> Hi Steve, vendors,
> 
>    Ruby upstream has released latest v1.9.1-p429, v1.9.2 RC1 versions,
> addressing one
>    security issue, present on Microsoft Windows operating systems,
> where version of Ruby
>    language is v1.9.x based:
>      [1]
> http://www.ruby-lang.org/en/news/2010/07/02/ruby-1-9-1-p429-is-released/
>      [2]
> http://www.ruby-lang.org/en/news/2010/07/02/ruby-1-9-2-rc1-is-released/
>      [3]
> http://svn.ruby-lang.org/repos/ruby/tags/v1_9_2_rc1/ChangeLog
> 
> Quoting from [1]:
> 
> <begin quote>
> 
> A security vulnerability that causes buffer overflow when you assign
> a danger value to ARGF.inplace_mode on Windows. It possibly allows an
> attacker to execute an arbitrary code.
> 
> The affected versions are:
> 
>      * Ruby 1.9.1 patchlevel 378 and all prior versions.
>      * Ruby 1.9.2 preview 3 and all prior versions.
>      * Development versions of Ruby 1.9 (1.9.3dev).
> 
> I recommend you to upgrade your ruby 1.9 to 1.9.1-p429 or 1.9.2-rc1.
> 
> The vulnerability does not directly affect to Ruby 1.8 series.
> Credit
> 
> The vulnerability was found and reported by Masaya TARUI.
> 
> <end quote>
> 
> Though this not affecting the Linux version of Ruby, we will need a
> CVE identifier
> for purpose of properly tracking is.
> 
> Steve, could you please allocate one?
> 
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ