CVE-2012-4466
published 2013-04-25CVE-2012-4466: Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level…
PriorityP426medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
2.62%
83.5th percentile
Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gm9g-777x-3fp6: Ruby 1
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2012-4466 [MEDIUM] GHSA-gm9g-777x-3fp6: Ruby 1
Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.
GHSA
GHSA-gjcp-rx5c-g849: Ruby 1
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2012-4464 [MEDIUM] GHSA-gjcp-rx5c-g849: Ruby 1
Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2012-10-23·CVSS 5.0
CVE-2012-4464 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
Tyler Hicks and Shugo Maeda discovered that Ruby incorrectly allowed untainted
strings to be modified in protective safe levels. An attacker could use this
flaw to bypass intended access restrictions. USN-1602-1 fixed these
vulnerabilities in other Ubuntu releases. This update provides the
corresponding updates for Ubuntu 12.10. (CVE-2012-4464, CVE-2012-4466)
Peter Bex discovered that Ruby incorrectly handled file path strings when
opening files. An attacker could use this flaw to open or create unexpected
files. (CVE-2012-4522)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2012-10-23·CVSS 5.0
CVE-2012-4466 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Ruby could allow excessive access in untrusted programs.
USN-1603-1 fixed vulnerabilities in Ruby. This update provides the
corresponding updates for Ubuntu 12.10.
Original advisory details:
Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed untainted
strings to be modified in protective safe levels. An attacker could use this
flaw to bypass intended access restrictions. (CVE-2012-4466, CVE-2012-4481)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2012-10-10·CVSS 5.0
CVE-2012-4464 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Ruby could allow excessive access in untrusted programs.
Tyler Hicks and Shugo Maeda discovered that Ruby incorrectly allowed untainted
strings to be modified in protective safe levels. An attacker could use this
flaw to bypass intended access restrictions. (CVE-2012-4464, CVE-2012-4466)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2012-10-10·CVSS 5.0
CVE-2012-4466 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Ruby could allow excessive access in untrusted programs.
Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed untainted
strings to be modified in protective safe levels. An attacker could use this
flaw to bypass intended access restrictions. (CVE-2012-4466, CVE-2012-4481)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
ruby: safe level bypass via name_err_mesg_to_str()
vendor_redhat·2012-10-02·CVSS 5.0
CVE-2012-4466 [MEDIUM] CWE-266 ruby: safe level bypass via name_err_mesg_to_str()
ruby: safe level bypass via name_err_mesg_to_str()
Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.
Package: ruby (Red Hat Enterprise Linux 5) - Not affected
Package: ruby (Red Hat Enterprise Linux 6) - Not affected
Red Hat
1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
vendor_redhat·2012-09-28·CVSS 5.0
CVE-2012-4464 [MEDIUM] CWE-266 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression.
Statement: Not vulnerable. This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6 as they did not provide version 1.9.x, which is the vulnerable version of ruby.
Package: ruby (Red Hat Enterprise Linux 5) - Not affected
Package: ruby (Red Hat Enterprise Linux 6) - Not affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-4481 ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
bugzilla·2012-10-05·CVSS 5.0
CVE-2012-4481 [MEDIUM] CVE-2012-4481 ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
CVE-2012-4481 ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
Originally, Common Vulnerabilities and Exposures assigned an identifier of CVE-2011-1005 to the following vulnerability:
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
with the following upstream patch:
[1] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?revision=30903&view=revision
Based on later upstream patch for different (CVE-2012-4464 and CVE-2012-4466) issues:
[2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
it was found that original upstream 1.8.x ruby patch for CVE-2011-1005
Bugzilla
CVE-2012-4466 ruby: safe level bypass via name_err_mesg_to_str()
bugzilla·2012-10-03·CVSS 5.0
CVE-2012-4466 [MEDIUM] CVE-2012-4466 ruby: safe level bypass via name_err_mesg_to_str()
CVE-2012-4466 ruby: safe level bypass via name_err_mesg_to_str()
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1005 to the following vulnerability:
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
Later it was reported:
[1] http://www.openwall.com/lists/oss-security/2012/10/02/4
that the Ruby name_err_mesg_to_str() method is vulnerable to the similar flaw.
Relevant upstream patch:
[2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
Discussion:
*** Bug 862906 has been marked as a duplicate of this bug. ***
---
Created ruby tracking bugs for this i
Bugzilla
CVE-2012-4464 CVE-2012-4466 ruby: various flaws [fedora-all]
bugzilla·2012-10-03·CVSS 5.0
CVE-2012-4464 [MEDIUM] CVE-2012-4464 CVE-2012-4466 ruby: various flaws [fedora-all]
CVE-2012-4464 CVE-2012-4466 ruby: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=862906
P
Bugzilla
ruby: safe level bypass via name_err_mesg_to_str()
bugzilla·2012-10-03·CVSS 5.0
CVE-2011-1005 [MEDIUM] ruby: safe level bypass via name_err_mesg_to_str()
ruby: safe level bypass via name_err_mesg_to_str()
As noted in bug #862598:
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1005 to the following vulnerability:
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
Later it was reported:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689075
[2] http://www.openwall.com/lists/oss-security/2012/10/02/4
that upstream ruby 1.9.1 and ruby 1.9.3 versions are also vulnerable to this flaw.
Relevant upstream patch:
[3] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
There are two issues here:
1) CVE-2011-100
Bugzilla
CVE-2012-4464 ruby 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
bugzilla·2012-10-03·CVSS 5.0
CVE-2012-4464 [MEDIUM] CVE-2012-4464 ruby 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
CVE-2012-4464 ruby 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1005 to the following vulnerability:
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
Later it was reported:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689075
[2] http://www.openwall.com/lists/oss-security/2012/10/02/4
that upstream ruby 1.9.1 and ruby 1.9.3 versions are also vulnerable to this flaw.
Relevant upstream patch:
[3] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
Discussion:
Upstream public reproducer
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089554.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-October/089887.htmlhttp://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068http://www.mandriva.com/security/advisories?name=MDVSA-2013:124http://www.openwall.com/lists/oss-security/2012/10/02/4http://www.openwall.com/lists/oss-security/2012/10/03/9http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/https://bugzilla.redhat.com/show_bug.cgi?id=862614https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0294http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089554.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-October/089887.htmlhttp://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068http://www.mandriva.com/security/advisories?name=MDVSA-2013:124http://www.openwall.com/lists/oss-security/2012/10/02/4http://www.openwall.com/lists/oss-security/2012/10/03/9http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/https://bugzilla.redhat.com/show_bug.cgi?id=862614https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0294
2013-04-25
Published