oss-sec mailing list archives
Re: possible CVE-2010 request: Ruby older than 1.9.2 appending current directory to the load path
From: "Shota Fukumori (sora_h)" <her () sorah jp>
Date: Tue, 8 Jul 2014 16:26:32 +0900
I guess the change (committed r23816 in our svn repository,) is not a security issue (just a hardening). so I think it shouldn't need CVE ID. Thoughts? > security () ruby-lang org On Tue, Jul 8, 2014 at 4:14 PM, Murray McAllister <mmcallis () redhat com> wrote:
Good morning, CVE-2014-3248 (http://puppetlabs.com/security/cve/cve-2014-3248) describes the following: "On platforms with Ruby 1.9.1 or earlier, an attacker could have Puppet execute malicious code by convincing a privileged user to change directories to one containing the malicious code and then run Puppet." The issue in Ruby was fixed here: https://www.ruby-lang.org/en/news/2010/08/18/ruby-1-9.2-released/ The "$: doesn't include the current direcotry." entry, I guess. Is a 2010 CVE ID needed for this, or should it only be treated as hardening? Thanks, -- Murray McAllister / Red Hat Product Security
-- Shota Fukumori a.k.a. @sora_h http://sorah.jp/
Current thread:
- possible CVE-2010 request: Ruby older than 1.9.2 appending current directory to the load path Murray McAllister (Jul 08)
- Re: possible CVE-2010 request: Ruby older than 1.9.2 appending current directory to the load path Shota Fukumori (sora_h) (Jul 08)