oss-sec mailing list archives
possible CVE-2010 request: Ruby older than 1.9.2 appending current directory to the load path
From: Murray McAllister <mmcallis () redhat com>
Date: Tue, 08 Jul 2014 17:14:46 +1000
Good morning, CVE-2014-3248 (http://puppetlabs.com/security/cve/cve-2014-3248) describes the following: "On platforms with Ruby 1.9.1 or earlier, an attacker could have Puppet execute malicious code by convincing a privileged user to change directories to one containing the malicious code and then run Puppet." The issue in Ruby was fixed here: https://www.ruby-lang.org/en/news/2010/08/18/ruby-1-9.2-released/ The "$: doesn't include the current direcotry." entry, I guess. Is a 2010 CVE ID needed for this, or should it only be treated as hardening? Thanks, -- Murray McAllister / Red Hat Product Security
Current thread:
- possible CVE-2010 request: Ruby older than 1.9.2 appending current directory to the load path Murray McAllister (Jul 08)
- Re: possible CVE-2010 request: Ruby older than 1.9.2 appending current directory to the load path Shota Fukumori (sora_h) (Jul 08)