blob: 70e6814535dfba9c890f9271d22e926b630e0dc7 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200510-05">
<title>Ruby: Security bypass vulnerability</title>
Ruby is vulnerable to a security bypass of the safe level mechanism.
<product type="ebuild">ruby</product>
<announced>October 06, 2005</announced>
<revised>October 06, 2005: 01</revised>
<package name="dev-lang/ruby" auto="yes" arch="*">
<unaffected range="ge">1.8.3</unaffected>
<vulnerable range="lt">1.8.3</vulnerable>
Ruby is an interpreted scripting language for quick and easy
object-oriented programming. Ruby supports the safe execution of
untrusted code using a safe level and taint flag mechanism.
Dr. Yutaka Oiwa discovered that Ruby fails to properly enforce
safe level protections.
<impact type="normal">
An attacker could exploit this vulnerability to execute arbitrary
code beyond the restrictions specified in each safe level.
There is no known workaround at this time.
All Ruby users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=dev-lang/ruby-1.8.3&quot;</code>
<uri link="">CAN-2005-2337</uri>
<uri link="">Ruby release announcement</uri>
<metadata tag="requester" timestamp="Tue, 04 Oct 2005 12:55:13 +0000">
<metadata tag="bugReady" timestamp="Tue, 04 Oct 2005 12:55:25 +0000">
<metadata tag="submitter" timestamp="Tue, 04 Oct 2005 18:17:21 +0000">