RHSA-2011:0910-01 -- Redhat rubyID: oval:org.secpod.oval:def:500035 | Date: (C)2012-01-31 (M)2023-12-07 |
Class: PATCH | Family: unix |
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A flaw was found in the way large amounts of memory were allocated on 64-bit systems when using the BigDecimal class. A context-dependent attacker could use this flaw to cause memory corruption, causing a Ruby application that uses the BigDecimal class to crash or, possibly, execute arbitrary code. This issue did not affect 32-bit systems. A race condition flaw was found in the remove system entries method in the FileUtils module. If a local user ran a Ruby script that uses this method, a local attacker could use this flaw to delete arbitrary files and directories accessible to that user via a symbolic link attack. A flaw was found in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted code to modify arbitrary, trusted strings, which safe level 4 restrictions would otherwise prevent. Red Hat would like to thank Drew Yao of Apple Product Security for reporting the CVE-2011-0188 issue. All Ruby users should upgrade to these updated packages, which contain backported patches to resolve these issues.
Platform: |
Red Hat Enterprise Linux 6 |