CVE-2012-4466
Published: 3 October 2012
Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.
Notes
| Author | Note |
|---|---|
| tyhicks | affects 1.8.x, as well as 1.9.3-p0 and newer |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ruby1.8 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Released
(1.8.7.249-2ubuntu0.2)
|
|
| natty |
Released
(1.8.7.302-2ubuntu0.2)
|
|
| oneiric |
Released
(1.8.7.352-2ubuntu0.2)
|
|
| precise |
Released
(1.8.7.352-2ubuntu1.1)
|
|
| quantal |
Released
(1.8.7.358-4ubuntu0.1)
|
|
| upstream |
Needs triage
|
|
|
Patches: upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 |
||
|
ruby1.9 Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
|
| lucid |
Not vulnerable
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
(1.9.2.290-2)
|
|
| precise |
Released
(1.9.3.0-1ubuntu2.3)
|
|
| quantal |
Released
(1.9.3.194-1ubuntu1.1)
|
|
| upstream |
Needs triage
|
|
|
Patches: upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 |
||
References
- http://www.openwall.com/lists/oss-security/2012/10/03
- http://www.openwall.com/lists/oss-security/2012/10/03/9
- https://ubuntu.com/security/notices/USN-1602-1
- https://ubuntu.com/security/notices/USN-1603-1
- https://ubuntu.com/security/notices/USN-1614-1
- https://ubuntu.com/security/notices/USN-1603-2
- https://www.cve.org/CVERecord?id=CVE-2012-4466
- NVD
- Launchpad
- Debian