Date: Tue, 28 Jul 2015 02:44:46 -0700 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org>, security@...y-lang.org Subject: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129 https://www.ruby-lang.org/en/news/2009/05/12/ruby-1-9-1-p129-released/ http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/336353 >From the above: * DL::Function#call could pass tainted arguments to a C function even if $SAFE > 0. https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65e * DL::dlopen could open a library with tainted library name even if $SAFE > 0 https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b Doesn't look like either one of these was ever assigned a CVE (please correct me if I'm wrong). These seem to be different issues than CVE-2008-3657. ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.