Date: Wed, 29 Jul 2015 14:48:27 -0700 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com Cc: Assign a CVE Identifier <cve-assign@...re.org>, security@...y-lang.org Subject: Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129 On Tue, Jul 28, 2015 at 5:39 AM, Jan Rusnacko <jrusnack@...hat.com> wrote: > On 07/28/2015 11:44 AM, Reed Loden wrote: > > * DL::Function#call could pass tainted arguments to a C function even if > > $SAFE > 0. > > > https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65e > Could this be related to CVE-2013-2065 ? > > > https://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/ For the record, CVE-2013-2065 is https://github.com/ruby/ruby/commit/c7d7ff45f1e0d6fad28e53c02108d4b067e843c3 . ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.