From Mageia wiki
Jump to: navigation, search

MGASA-2013-0155

Date: May 25th, 2013
Affected releases: 3
Media: Core


Description:
Updated ruby packages fix security vulnerability:

Vulnerability in DL and Fiddle in Ruby before 1.9.3p429 where tainted
strings can be used by system calls regardless of the $SAFE level set in
Ruby. Native functions exposed to Ruby with DL or Fiddle do not check the
taint values set on the objects passed in. This can result in tainted
objects being accepted as input when a SecurityError exception should
be raised (CVE-2013-2065).


Updated Packages:
i586:
libruby1.9-1.9.3.p429-1.mga3.i586.rpm
ruby-1.9.3.p429-1.mga3.i586.rpm
ruby-devel-1.9.3.p429-1.mga3.i586.rpm
ruby-doc-1.9.3.p429-1.mga3.noarch.rpm
ruby-irb-1.9.3.p429-1.mga3.noarch.rpm
ruby-tk-1.9.3.p429-1.mga3.i586.rpm
ruby-debuginfo-1.9.3.p429-1.mga3.i586.rpm

x86_64:
lib64ruby1.9-1.9.3.p429-1.mga3.x86_64.rpm
ruby-1.9.3.p429-1.mga3.x86_64.rpm
ruby-devel-1.9.3.p429-1.mga3.x86_64.rpm
ruby-doc-1.9.3.p429-1.mga3.noarch.rpm
ruby-irb-1.9.3.p429-1.mga3.noarch.rpm
ruby-tk-1.9.3.p429-1.mga3.x86_64.rpm
ruby-debuginfo-1.9.3.p429-1.mga3.x86_64.rpm

SRPMS:
ruby-1.9.3.p429-1.mga3.src.rpm


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2065
http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/
https://bugs.mageia.org/show_bug.cgi?id=10135