Ruby State Error May Let Users Bypass Safe Level Restrictions
|
|
SecurityTracker Alert ID: 1014948
|
|
SecurityTracker URL: http://securitytracker.com/id?1014948
|
|
CVE Reference: CVE-2005-2337
(Links to External Site)
|
Updated: May 11 2006
|
Original Entry Date: Sep 21 2005
|
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.6 - 1.6.8, 1.8 - 1.8.2
|
Description: A vulnerability was reported in Ruby. A user may be able to bypass certain security restrictions.
A user can bypass the safe level access restrictions to execute scripting code.
The vulnerability resides in 'eval.c'.
|
Impact: A user may be able to bypass safe level access restrictions and execute scripting code.
|
Solution: The vendor has issued a fixed version (1.8.3), available at:
ftp://ftp.ruby-lang.org/pub/ruby/ruby-1.8.3.tar.gz
A patch for version 1.6.8 is also available at:
ftp://ftp.ruby-lang.org/pub/ruby/1.6/1.6.8-patch1.gz
|
Vendor URL: www.ruby-lang.org/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 21 Sep 2005 08:50:26 -0400
Subject: Ruby vulnerability
|
Ruby 1.8.2 and prior versions
ftp://ftp.ruby-lang.org/pub/ruby/ruby-1.8.3.tar.gz
A user can bypass the safe_level protections.
The vulnerability resides in 'eval.c'.
CVE: CAN-2005-2337
|
|
