Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 29 Jul 2015 14:48:27 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com
Cc: Assign a CVE Identifier <cve-assign@...re.org>, security@...y-lang.org
Subject: Re: CVE request: Two ruby 'dl' vulnerabilities fixed
 in ruby-1.9.1-p129

On Tue, Jul 28, 2015 at 5:39 AM, Jan Rusnacko <jrusnack@...hat.com> wrote:

> On 07/28/2015 11:44 AM, Reed Loden wrote:
> > * DL::Function#call could pass tainted arguments to a C function even if
> > $SAFE > 0.
> >
> https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65e
> Could this be related to CVE-2013-2065 ?
>
>
> https://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/


For the record, CVE-2013-2065 is
https://github.com/ruby/ruby/commit/c7d7ff45f1e0d6fad28e53c02108d4b067e843c3
.

~reed

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.