Date: Tue, 21 Jul 2009 20:57:16 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> Cc: oss-security@...ts.openwall.com Subject: CVE Request -- RubyGems Hello Steve, vendors, a potential system integrity violation flaw was found in the way RubyGems used to handle it's external Gem archives. A remote attacker could provide a specially-crafted Gem (POSIX tar) archive, which once opened by an unsuspecting user, would overwrite relevant system file. References: ---------- http://bugs.gentoo.org/show_bug.cgi?id=278566 http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472 http://redmine.ruby-lang.org/issues/show/1800 Credit: Kazuhiro NISHIYAMA ------- Affected versions: Issue reported in RubyGems-1.3.4, ----------------- but confirmed also in RubyGems-1.3.1. Could you please allocate a new CVE identifier for it? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.