Date: Wed, 29 Jul 2015 14:48:27 -0700 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com Cc: Assign a CVE Identifier <cve-assign@...re.org>, security@...y-lang.org Subject: Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129 On Tue, Jul 28, 2015 at 5:39 AM, Jan Rusnacko <jrusnack@...hat.com> wrote: > On 07/28/2015 11:44 AM, Reed Loden wrote: > > * DL::Function#call could pass tainted arguments to a C function even if > > $SAFE > 0. > > > https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65e > Could this be related to CVE-2013-2065 ? > > > https://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/ For the record, CVE-2013-2065 is https://github.com/ruby/ruby/commit/c7d7ff45f1e0d6fad28e53c02108d4b067e843c3 . ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ