possible CVE-2010 request: Ruby older than 1.9.2 appending current directory to the load path

[Murray McAllister <mmcallis () redhat com>]

Good morning,

CVE-2014-3248 (http://puppetlabs.com/security/cve/cve-2014-3248)
describes the following:

"On platforms with Ruby 1.9.1 or earlier, an attacker could have Puppet
execute malicious code by convincing a privileged user to change
directories to one containing the malicious code and then run Puppet."

The issue in Ruby was fixed here:

https://www.ruby-lang.org/en/news/2010/08/18/ruby-1-9.2-released/

The "$: doesn't include the current direcotry." entry, I guess.

Is a 2010 CVE ID needed for this, or should it only be treated as hardening?

Thanks,

--
Murray McAllister / Red Hat Product Security