SUSE-SU-2013:0435-1: moderate: Security update for ruby

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Mar 12 11:04:49 MDT 2013


   SUSE Security Update: Security update for ruby
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:0435-1
Rating:             moderate
References:         #783525 
Cross-References:   CVE-2012-4522
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11 SP2
                    SUSE Linux Enterprise Server 11 SP2 for VMware
                    SUSE Linux Enterprise Server 11 SP2
                    SUSE Linux Enterprise Desktop 11 SP2
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:


   The ruby interpreter received a fix for a security issue:

   *

   CVE-2012-4466:

   Ruby's $SAFE mechanism enables untrusted user codes
   to run in $SAFE >= 4 mode. This is a kind of sandboxing so
   some operations are restricted in that mode to protect
   other data outside the sandbox.

   The problem found was around this mechanism.
   Exception#to_s, NameError#to_s, and name_err_mesg_to_s()
   interpreter-internal API was not correctly handling the
   $SAFE bits so a String object which is not tainted can
   destructively be marked as tainted using them. By using
   this an untrusted code in a sandbox can modify a
   formerly-untainted string destructively.

   http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cv
   e-2012-4466/
   <http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-c
   ve-2012-4466/>

   Security Issue references:

   * CVE-2012-4522
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4522
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11 SP2:

      zypper in -t patch sdksp2-ruby-7386

   - SUSE Linux Enterprise Server 11 SP2 for VMware:

      zypper in -t patch slessp2-ruby-7386

   - SUSE Linux Enterprise Server 11 SP2:

      zypper in -t patch slessp2-ruby-7386

   - SUSE Linux Enterprise Desktop 11 SP2:

      zypper in -t patch sledsp2-ruby-7386

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64):

      ruby-devel-1.8.7.p357-0.9.9.1
      ruby-doc-html-1.8.7.p357-0.9.9.1
      ruby-doc-ri-1.8.7.p357-0.9.9.1
      ruby-examples-1.8.7.p357-0.9.9.1
      ruby-test-suite-1.8.7.p357-0.9.9.1
      ruby-tk-1.8.7.p357-0.9.9.1

   - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64):

      ruby-1.8.7.p357-0.9.9.1
      ruby-doc-html-1.8.7.p357-0.9.9.1
      ruby-tk-1.8.7.p357-0.9.9.1

   - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64):

      ruby-1.8.7.p357-0.9.9.1
      ruby-doc-html-1.8.7.p357-0.9.9.1
      ruby-tk-1.8.7.p357-0.9.9.1

   - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64):

      ruby-1.8.7.p357-0.9.9.1


References:

   http://support.novell.com/security/cve/CVE-2012-4522.html
   https://bugzilla.novell.com/783525
   http://download.novell.com/patch/finder/?keywords=5ac69a022ffa717bb70bba9bdcbc60ca



More information about the sle-security-updates mailing list