Date: Tue, 28 Jul 2015 02:44:46 -0700 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org>, security@...y-lang.org Subject: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129 https://www.ruby-lang.org/en/news/2009/05/12/ruby-1-9-1-p129-released/ http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/336353 >From the above: * DL::Function#call could pass tainted arguments to a C function even if $SAFE > 0. https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65e * DL::dlopen could open a library with tainted library name even if $SAFE > 0 https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b Doesn't look like either one of these was ever assigned a CVE (please correct me if I'm wrong). These seem to be different issues than CVE-2008-3657. ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ