Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 Oct 2012 11:26:14 -0400 (EDT)
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
Cc:, Vit Ondruch <>,
        Ruby Security Team <>
Subject: CVE Request -- ruby (1.8.x with patched CVE-2011-1005): Incomplete
 fix for CVE-2011-1005 for NameError#to_s method when used on objects

Hello Kurt, Steve, vendors,

  Originally, Common Vulnerabilities and Exposures assigned
an identifier of CVE-2011-1005 to the following vulnerability:

The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7
through 1.8.7-330, and 1.8.8dev allows context-dependent
attackers to modify strings via the Exception#to_s method,
as demonstrated by changing an intended pathname.

with the following upstream patch:

Based on later upstream patch for different (CVE-2012-4464 and CVE-2012-4466) issues:

it was found that original upstream 1.8.x ruby patch for CVE-2011-1005
issue was not complete, when the NameError#to_s() method was used on /
with Ruby objects (the test logic in 'test_to_s_taintness_propagation'
test from [1] was actually reversed {Hint: Compare the test for Ruby
Object cases in both [1] and [2]}, so the test returned success also
on still vulnerable instances).

A different vulnerability than CVE-2011-1005, CVE-2012-4464, and CVE-2012-4466.


This issue was discovered by Vit Ondruch of Red Hat.

Ruby Security Team previously in a private email to Vit confirmed
(still) presence of this issue on ruby 1.8.7 versions and provided
a patch for it:
The behavior of SVN trunk is correct.

The fix for CVE-2011-1005 was insufficient, and NameError#to_s has a
problem in 1.8.7.

Please apply the attached patch for 1.8.7.

-- Shugo Maeda


--- error.c.orig	2012-10-04 23:26:42.000611741 +0900
+++ error.c	2012-10-04 23:26:48.960524245 +0900
@@ -665,9 +665,6 @@
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
-    if (str != mesg) {
-	OBJ_INFECT(str, mesg);
-    }
     return str;


Could you allocate a CVE identifier to this (for those package versions,
which have applied patch for originally CVE-2011-1005 already)?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ