Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0141 Ruby 1.9.3-p286 is released 15 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Create Arbitrary Files -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2012-4466 CVE-2012-4464 Member content until: Wednesday, November 14 2012 OVERVIEW Multiple vulnerabilities have been fixed in Ruby 1.9.3-p286. IMPACT The following information is available from the vendor's website: CVE-2012-4464, CVE-2012-4466: "Vulnerabilities found for Exception#to_s, NameError#to_s, and name_err_mesg_to_s() which is Ruby interpreter-internal API. A malicious user code can bypass $SAFE check by utilizing one of those security holes." [1] (No CVE): "A vulnerability was found that file creation routines can create unintended files by strategically inserting NUL(s) in file paths." [2] MITIGATION Users should update to the latest version. [3] REFERENCES [1] $SAFE escaping vulnerability about Exception#to_s / NameError#to_s (CVE-2012-4464, CVE-2012-4466) http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/ [2] Unintentional file creation caused by inserting a illegal NUL character http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/ [3] Ruby 1.9.3-p286 is released http://www.ruby-lang.org/en/news/2012/10/12/ruby-1-9-3-p286-is-released/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUHt5Le4yVqjM2NGpAQIVug/+NQg37fBXe2UsEKa7w976FJt1ZVBM3xJ/ t4yYZQU84uhd5/4zxdENfTzIkRT9TZyGPYBRudKdpYfO4q9v1zHGZqJWiaqUMQOQ pDPivLH4AMZ98onDs/9ag2/n2yGg56LerMjmw+5Zvwqj7Ao/8buhK+ZgyUjdKkP0 95jydXfK/dgtov1JS/gPOgKs59BNtbFH5hMzV+zcwTntusyxscuT3h6vq6yuOpMn Ii/Uhq9R3rwLhetkV2XlfALXfC68gwu00AlvVSDJXJwkWjK+rfTL/5HWRgCr+3d9 jzLfO3CkqQW8bEpo8XxcrD9G0yq4lydSMrOct/uc1Y8aa5sKTnk4x6vM6YbJByrL BAf7zqgfLMzmumMZtaf2UQau6vFv8B3MBPBu0SCZcCj7p2Ll+WDnLKTLsxprpRjU olqdzreUb0TTP4CB9uKopMbiyYyA6d5dkpst9UzjwFB89cfVSFaVV6VAlRrCJ7QF tn14GER4GwDf/BFl+83gkutUcWHc3b5Q/OUkkeIi7obWCqYJwyRSsE5UeQETQpdY 6wydKVcpn4zQvnc068l3Hw/LPqjj9r/IsttkNGh/BxtfFxq0G79dFBNDrmKnVN/i yRbye+0r1sd2FBSkz1vb3ePN2elofEjkKDctxTsaPK7EEu1J8BdmjeT+TIDzq9yZ FINFUOWsYS4= =fDTt -----END PGP SIGNATURE-----