Re: possible CVE-2010 request: Ruby older than 1.9.2 appending current directory to the load path

["Shota Fukumori (sora_h)" <her () sorah jp>]

I guess the change (committed r23816 in our svn repository,) is not a
security issue (just a hardening).

so I think it shouldn't need CVE ID.

Thoughts? > security () ruby-lang org

On Tue, Jul 8, 2014 at 4:14 PM, Murray McAllister <mmcallis () redhat com> wrote:
> Good morning,
>
> CVE-2014-3248 (http://puppetlabs.com/security/cve/cve-2014-3248)
> describes the following:
>
> "On platforms with Ruby 1.9.1 or earlier, an attacker could have Puppet
> execute malicious code by convincing a privileged user to change
> directories to one containing the malicious code and then run Puppet."
>
> The issue in Ruby was fixed here:
>
> https://www.ruby-lang.org/en/news/2010/08/18/ruby-1-9.2-released/
>
> The "$: doesn't include the current direcotry." entry, I guess.
>
> Is a 2010 CVE ID needed for this, or should it only be treated as hardening?
>
> Thanks,
>
> --
> Murray McAllister / Red Hat Product Security



-- 
Shota Fukumori a.k.a. @sora_h http://sorah.jp/