Vulnerabilities > CVE-2012-4522 - Permissions, Privileges, and Access Controls vulnerability in Ruby-Lang Ruby 1.9.3/2.0.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Blue Boxing This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
- Target Programs with Elevated Privileges This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_RUBY-8524.NASL description The ruby interpreter received a fix for two security issues : - Ruby last seen 2020-06-05 modified 2013-04-04 plugin id 65799 published 2013-04-04 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65799 title SuSE 10 Security Update : ruby (ZYPP Patch Number 8524) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(65799); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2011-2686", "CVE-2012-4464", "CVE-2012-4466", "CVE-2012-4522", "CVE-2013-1821"); script_name(english:"SuSE 10 Security Update : ruby (ZYPP Patch Number 8524)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "The ruby interpreter received a fix for two security issues : - Ruby's $SAFE mechanism enables untrusted user codes to run in $SAFE >= 4 mode. This is a kind of sandboxing so some operations are restricted in that mode to protect other data outside the sandbox. (CVE-2012-4466) The problem found was around this mechanism. Exception#to_s, NameError#to_s, and name_err_mesg_to_s() interpreter-internal API was not correctly handling the $SAFE bits so a String object which is not tainted can destructively be marked as tainted using them. By using this an untrusted code in a sandbox can modify a formerly-untainted string destructively. http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-446 4-cve-2012-4466/ - Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process. (CVE-2011-2686) - Fix entity expansion DoS vulnerability in REXML. When reading text nodes from an XML document, the REXML parser could be coerced into allocating extremely large string objects which could consume all available memory on the system. (CVE-2013-1821)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-2686.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-4464.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-4466.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-4522.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2013-1821.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 8524."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/05"); script_set_attribute(attribute:"patch_publication_date", value:"2013/03/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:4, reference:"ruby-1.8.6.p369-0.14.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_11_RUBY-130221.NASL description The ruby interpreter received a fix for a security issue : - Ruby last seen 2020-06-05 modified 2013-03-13 plugin id 65248 published 2013-03-13 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/65248 title SuSE 11.2 Security Update : ruby (SAT Patch Number 7386) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(65248); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2012-4464", "CVE-2012-4466", "CVE-2012-4522"); script_name(english:"SuSE 11.2 Security Update : ruby (SAT Patch Number 7386)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The ruby interpreter received a fix for a security issue : - Ruby's $SAFE mechanism enables untrusted user codes to run in $SAFE >= 4 mode. This is a kind of sandboxing so some operations are restricted in that mode to protect other data outside the sandbox. (CVE-2012-4466) The problem found was around this mechanism. Exception#to_s, NameError#to_s, and name_err_mesg_to_s() interpreter-internal API was not correctly handling the $SAFE bits so a String object which is not tainted can destructively be marked as tainted using them. By using this an untrusted code in a sandbox can modify a formerly-untainted string destructively. http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-446 4-cve-2012-4466/" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=783525" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-4464.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-4466.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-4522.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 7386."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:ruby-doc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:ruby-tk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2013/02/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, "SuSE 11.2"); flag = 0; if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"ruby-1.8.7.p357-0.9.9.1")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"ruby-1.8.7.p357-0.9.9.1")) flag++; if (rpm_check(release:"SLES11", sp:2, reference:"ruby-1.8.7.p357-0.9.9.1")) flag++; if (rpm_check(release:"SLES11", sp:2, reference:"ruby-doc-html-1.8.7.p357-0.9.9.1")) flag++; if (rpm_check(release:"SLES11", sp:2, reference:"ruby-tk-1.8.7.p357-0.9.9.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1428.NASL description According to the versions of the ruby packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.(CVE-2012-4466) - The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.(CVE-2014-8090) - Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.(CVE-2013-4287) - The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.(CVE-2014-8080) - The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a last seen 2020-03-17 modified 2019-05-14 plugin id 124931 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124931 title EulerOS Virtualization 3.0.1.0 : ruby (EulerOS-SA-2019-1428) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(124931); script_version("1.19"); script_cvs_date("$Date$"); script_cve_id( "CVE-2012-4464", "CVE-2012-4466", "CVE-2012-4522", "CVE-2012-5371", "CVE-2013-2065", "CVE-2013-4073", "CVE-2013-4164", "CVE-2013-4287", "CVE-2013-4363", "CVE-2014-4975", "CVE-2014-8080", "CVE-2014-8090", "CVE-2018-16395", "CVE-2018-16396", "CVE-2018-8780" ); script_bugtraq_id( 55757, 56115, 56484, 59881, 60843, 62281, 62442, 63873, 68474, 70935, 71230 ); script_name(english:"EulerOS Virtualization 3.0.1.0 : ruby (EulerOS-SA-2019-1428)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS Virtualization host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the ruby packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.(CVE-2012-4466) - The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.(CVE-2014-8090) - Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.(CVE-2013-4287) - The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.(CVE-2014-8080) - The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.(CVE-2013-4073) - The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path.(CVE-2012-4522) - (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.(CVE-2013-2065) - Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.(CVE-2013-4363) - Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815.(CVE-2012-5371) - Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow.(CVE-2014-4975) - Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse.(CVE-2013-4164) - It was found that the methods from the Dir class did not properly handle strings containing the NULL byte. An attacker, able to inject NULL bytes in a path, could possibly trigger an unspecified behavior of the ruby script.(CVE-2018-8780) - Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression.(CVE-2012-4464) - An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.(CVE-2018-16395) - An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.(CVE-2018-16396) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1428 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?81cbe7ae"); script_set_attribute(attribute:"solution", value: "Update the affected ruby packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8780"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby-irb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-bigdecimal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-io-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-psych"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-rdoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygems"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0"); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["ruby-2.0.0.648-33.h12", "ruby-irb-2.0.0.648-33.h12", "ruby-libs-2.0.0.648-33.h12", "rubygem-bigdecimal-1.2.0-33.h12", "rubygem-io-console-0.4.2-33.h12", "rubygem-json-1.7.7-33.h12", "rubygem-psych-2.0.0-33.h12", "rubygem-rdoc-4.0.0-33.h12", "rubygems-2.0.14.1-33.h12"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0129.NASL description Updated ruby packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected. (CVE-2012-4522) It was found that the RHSA-2011:0909 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481) The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat. This update also fixes the following bug : * Prior to this update, the last seen 2020-06-01 modified 2020-06-02 plugin id 63410 published 2013-01-08 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63410 title RHEL 5 : ruby (RHSA-2013:0129) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:0129. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(63410); script_version ("1.16"); script_cvs_date("Date: 2019/10/24 15:35:36"); script_cve_id("CVE-2012-4481", "CVE-2012-4522"); script_bugtraq_id(55813, 56115); script_xref(name:"RHSA", value:"2013:0129"); script_name(english:"RHEL 5 : ruby (RHSA-2013:0129)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated ruby packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected. (CVE-2012-4522) It was found that the RHSA-2011:0909 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481) The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat. This update also fixes the following bug : * Prior to this update, the 'rb_syck_mktime' option could, under certain circumstances, terminate with a segmentation fault when installing libraries with certain gems. This update modifies the underlying code so that Ruby gems can be installed as expected. (BZ#834381) All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve these issues." ); script_set_attribute( attribute:"see_also", value:"https://rhn.redhat.com/errata/RHSA-2011-0909.html" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2013:0129" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-4481" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-4522" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-irb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-mode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-rdoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-ri"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-tcltk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"patch_publication_date", value:"2013/01/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = eregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2013:0129"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"ruby-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"ruby-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"ruby-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"ruby-debuginfo-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"ruby-devel-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"ruby-docs-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"ruby-docs-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"ruby-docs-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"ruby-irb-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"ruby-irb-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"ruby-irb-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"ruby-libs-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"ruby-mode-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"ruby-mode-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"ruby-mode-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"ruby-rdoc-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"ruby-rdoc-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"ruby-rdoc-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"ruby-ri-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"ruby-ri-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"ruby-ri-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"ruby-tcltk-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"ruby-tcltk-1.8.5-27.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"ruby-tcltk-1.8.5-27.el5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby / ruby-debuginfo / ruby-devel / ruby-docs / ruby-irb / etc"); } }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-0129.NASL description Updated ruby packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected. (CVE-2012-4522) It was found that the RHSA-2011:0909 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481) The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat. This update also fixes the following bug : * Prior to this update, the last seen 2020-06-01 modified 2020-06-02 plugin id 63574 published 2013-01-17 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63574 title CentOS 5 : ruby (CESA-2013:0129) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:0129 and # CentOS Errata and Security Advisory 2013:0129 respectively. # include("compat.inc"); if (description) { script_id(63574); script_version("1.9"); script_cvs_date("Date: 2020/01/06"); script_cve_id("CVE-2012-4481", "CVE-2012-4522"); script_bugtraq_id(55813, 56115); script_xref(name:"RHSA", value:"2013:0129"); script_name(english:"CentOS 5 : ruby (CESA-2013:0129)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated ruby packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected. (CVE-2012-4522) It was found that the RHSA-2011:0909 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481) The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat. This update also fixes the following bug : * Prior to this update, the 'rb_syck_mktime' option could, under certain circumstances, terminate with a segmentation fault when installing libraries with certain gems. This update modifies the underlying code so that Ruby gems can be installed as expected. (BZ#834381) All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve these issues." ); # https://lists.centos.org/pipermail/centos-announce/2013-January/019162.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?af85705e" ); # https://lists.centos.org/pipermail/centos-cr-announce/2013-January/000429.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7ccfebae" ); script_set_attribute(attribute:"solution", value:"Update the affected ruby packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-4522"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ruby-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ruby-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ruby-irb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ruby-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ruby-mode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ruby-rdoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ruby-ri"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ruby-tcltk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/24"); script_set_attribute(attribute:"patch_publication_date", value:"2013/01/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-5", reference:"ruby-1.8.5-27.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"ruby-devel-1.8.5-27.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"ruby-docs-1.8.5-27.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"ruby-irb-1.8.5-27.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"ruby-libs-1.8.5-27.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"ruby-mode-1.8.5-27.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"ruby-rdoc-1.8.5-27.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"ruby-ri-1.8.5-27.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"ruby-tcltk-1.8.5-27.el5")) flag++; if (flag) { cr_plugin_caveat = '\n' + 'NOTE: The security advisory associated with this vulnerability has a\n' + 'fixed package version that may only be available in the continuous\n' + 'release (CR) repository for CentOS, until it is present in the next\n' + 'point release of CentOS.\n\n' + 'If an equal or higher package level does not exist in the baseline\n' + 'repository for your major version of CentOS, then updates from the CR\n' + 'repository will need to be applied in order to address the\n' + 'vulnerability.\n'; security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + cr_plugin_caveat ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby / ruby-devel / ruby-docs / ruby-irb / ruby-libs / ruby-mode / etc"); }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-0129.NASL description From Red Hat Security Advisory 2013:0129 : Updated ruby packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected. (CVE-2012-4522) It was found that the RHSA-2011:0909 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481) The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat. This update also fixes the following bug : * Prior to this update, the last seen 2020-06-01 modified 2020-06-02 plugin id 68700 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68700 title Oracle Linux 5 : ruby (ELSA-2013-0129) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:0129 and # Oracle Linux Security Advisory ELSA-2013-0129 respectively. # include("compat.inc"); if (description) { script_id(68700); script_version("1.6"); script_cvs_date("Date: 2019/09/30 10:58:18"); script_cve_id("CVE-2012-4481", "CVE-2012-4522"); script_bugtraq_id(55813, 56115); script_xref(name:"RHSA", value:"2013:0129"); script_name(english:"Oracle Linux 5 : ruby (ELSA-2013-0129)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2013:0129 : Updated ruby packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected. (CVE-2012-4522) It was found that the RHSA-2011:0909 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481) The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat. This update also fixes the following bug : * Prior to this update, the 'rb_syck_mktime' option could, under certain circumstances, terminate with a segmentation fault when installing libraries with certain gems. This update modifies the underlying code so that Ruby gems can be installed as expected. (BZ#834381) All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve these issues." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2013-January/003208.html" ); script_set_attribute(attribute:"solution", value:"Update the affected ruby packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-irb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-mode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-rdoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-ri"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-tcltk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/24"); script_set_attribute(attribute:"patch_publication_date", value:"2013/01/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL5", reference:"ruby-1.8.5-27.el5")) flag++; if (rpm_check(release:"EL5", reference:"ruby-devel-1.8.5-27.el5")) flag++; if (rpm_check(release:"EL5", reference:"ruby-docs-1.8.5-27.el5")) flag++; if (rpm_check(release:"EL5", reference:"ruby-irb-1.8.5-27.el5")) flag++; if (rpm_check(release:"EL5", reference:"ruby-libs-1.8.5-27.el5")) flag++; if (rpm_check(release:"EL5", reference:"ruby-mode-1.8.5-27.el5")) flag++; if (rpm_check(release:"EL5", reference:"ruby-rdoc-1.8.5-27.el5")) flag++; if (rpm_check(release:"EL5", reference:"ruby-ri-1.8.5-27.el5")) flag++; if (rpm_check(release:"EL5", reference:"ruby-tcltk-1.8.5-27.el5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby / ruby-devel / ruby-docs / ruby-irb / ruby-libs / ruby-mode / etc"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_3DECC87D249811E2B0C7000D601460A4.NASL description The official ruby site reports : A vulnerability was found that file creation routines can create unintended files by strategically inserting NUL(s) in file paths. This vulnerability has been reported as CVE-2012-4522. Ruby can handle arbitrary binary patterns as Strings, including NUL chars. On the other hand OSes and other libraries tend not. They usually treat a NUL as an End of String mark. So to interface them with Ruby, NUL chars should properly be avoided. However methods like IO#open did not check the filename passed to them, and just passed those strings to lower layer routines. This led to create unintentional files. last seen 2020-06-01 modified 2020-06-02 plugin id 62792 published 2012-11-02 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62792 title FreeBSD : ruby -- Unintentional file creation caused by inserting an illegal NUL character (3decc87d-2498-11e2-b0c7-000d601460a4) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2019 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(62792); script_version("1.8"); script_cvs_date("Date: 2019/07/10 16:04:13"); script_cve_id("CVE-2012-4522"); script_name(english:"FreeBSD : ruby -- Unintentional file creation caused by inserting an illegal NUL character (3decc87d-2498-11e2-b0c7-000d601460a4)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "The official ruby site reports : A vulnerability was found that file creation routines can create unintended files by strategically inserting NUL(s) in file paths. This vulnerability has been reported as CVE-2012-4522. Ruby can handle arbitrary binary patterns as Strings, including NUL chars. On the other hand OSes and other libraries tend not. They usually treat a NUL as an End of String mark. So to interface them with Ruby, NUL chars should properly be avoided. However methods like IO#open did not check the filename passed to them, and just passed those strings to lower layer routines. This led to create unintentional files." ); # http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d494f86f" ); # https://access.redhat.com/security/cve/CVE-2012-4522/ script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-4522" ); # https://vuxml.freebsd.org/freebsd/3decc87d-2498-11e2-b0c7-000d601460a4.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?beb35305" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ruby"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/12"); script_set_attribute(attribute:"patch_publication_date", value:"2012/11/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"ruby>1.9.3,1<1.9.3.286,1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2012-16071.NASL description New version 1.9.3 patchlevel 286 is released. A potential security flaw was found on the previous ruby that using crafted string might lead to unintentional file creation. This new rpm will fix this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-10-18 plugin id 62607 published 2012-10-18 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62607 title Fedora 18 : ruby-1.9.3.286-19.fc18 (2012-16071) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-16071. # include("compat.inc"); if (description) { script_id(62607); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-4522"); script_xref(name:"FEDORA", value:"2012-16071"); script_name(english:"Fedora 18 : ruby-1.9.3.286-19.fc18 (2012-16071)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "New version 1.9.3 patchlevel 286 is released. A potential security flaw was found on the previous ruby that using crafted string might lead to unintentional file creation. This new rpm will fix this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=865940" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-October/090235.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0e243c99" ); script_set_attribute(attribute:"solution", value:"Update the affected ruby package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ruby"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:18"); script_set_attribute(attribute:"patch_publication_date", value:"2012/10/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/10/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^18([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 18.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC18", reference:"ruby-1.9.3.286-19.fc18")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby"); }NASL family Scientific Linux Local Security Checks NASL id SL_20130108_RUBY_ON_SL5_X.NASL description It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected. (CVE-2012-4522) It was found that the SLSA-2011:0909 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481) This update also fixes the following bug : - Prior to this update, the last seen 2020-03-18 modified 2013-01-17 plugin id 63603 published 2013-01-17 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63603 title Scientific Linux Security Update : ruby on SL5.x i386/x86_64 (20130108) NASL family Fedora Local Security Checks NASL id FEDORA_2012-16086.NASL description New version 1.9.3 patchlevel 286 is released. A potential security flaw was found on the previous ruby that using crafted string might lead to unintentional file creation. This new rpm will fix this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-10-22 plugin id 62648 published 2012-10-22 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62648 title Fedora 17 : ruby-1.9.3.286-18.fc17 (2012-16086) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-235.NASL description CVE-2011-0188 The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an last seen 2020-03-17 modified 2015-06-01 plugin id 83907 published 2015-06-01 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83907 title Debian DLA-235-1 : ruby1.9.1 security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-167.NASL description ruby19 was updated to fix various bugs and security issues: Update to 1.9.3 p385 (bnc#802406) - XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) - for other changes see /usr/share/doc/packages/ruby19/Changelog Update to 1.9.3 p327 (bnc#789983) - CVE-2012-5371 and plenty of other fixes Update to 1.9.3 p286 (bnc#783511, bnc#791199) - This release includes some security fixes, and many other bug fixes. $SAFE escaping vulnerability about Exception#to_s / NameError#to_s (CVE-2012-4464, CVE-2012-4466) - Unintentional file creation caused by inserting an illegal NUL character many other bug fixes. (CVE-2012-4522) Also following bugfixes and packaging fixes were done : - make sure the rdoc output is more stable for build-compare (new patch ruby-sort-rdoc-output.patch) - readd the private header *atomic.h - remove build depencency on ca certificates - only causing cycles - one more header needed for rubygem-ruby-debug-base19 - install vm_core.h and its dependencies as ruby-devel-extra - move the provides to the ruby package instead - add provides for the internal gems - restore the old ruby macros and the gem wrapper script - gem_install_wrapper no longer necessary last seen 2020-06-05 modified 2014-06-13 plugin id 74909 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74909 title openSUSE Security Update : ruby19 (openSUSE-SU-2013:0376-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1614-1.NASL description Tyler Hicks and Shugo Maeda discovered that Ruby incorrectly allowed untainted strings to be modified in protective safe levels. An attacker could use this flaw to bypass intended access restrictions. USN-1602-1 fixed these vulnerabilities in other Ubuntu releases. This update provides the corresponding updates for Ubuntu 12.10. (CVE-2012-4464, CVE-2012-4466) Peter Bex discovered that Ruby incorrectly handled file path strings when opening files. An attacker could use this flaw to open or create unexpected files. (CVE-2012-4522). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 62661 published 2012-10-23 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62661 title Ubuntu 12.04 LTS / 12.10 : ruby1.9.1 vulnerabilities (USN-1614-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0582.NASL description Red Hat OpenShift Enterprise 1.1.1 is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS) solution from Red Hat, and is designed for on-premise or private cloud deployments. Installing the updated packages and restarting the OpenShift services are the only requirements for this update. However, if you are updating your system to Red Hat Enterprise Linux 6.4 while applying OpenShift Enterprise 1.1.1 updates, it is recommended that you restart your system. For further information about this release, refer to the OpenShift Enterprise 1.1.1 Technical Notes, available shortly from https://access.redhat.com/knowledge/docs/ This update also fixes the following security issues : Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using rubygem-actionpack. (CVE-2012-3463, CVE-2012-3464, CVE-2012-3465) It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected. (CVE-2012-4522) A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, a new, more collision resistant algorithm has been used to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2012-5371) Input validation vulnerabilities were discovered in rubygem-activerecord. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2013-0155) Input validation vulnerabilities were discovered in rubygem-actionpack. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694) A flaw was found in the HTTP digest authentication implementation in rubygem-actionpack. A remote attacker could use this flaw to cause a denial of service of an application using rubygem-actionpack and digest authentication. (CVE-2012-3424) A flaw was found in the handling of strings in Ruby safe level 4. A remote attacker can use Exception#to_s to destructively modify an untainted string so that it is tainted, the string can then be arbitrarily modified. (CVE-2012-4466) A flaw was found in the method for translating an exception message into a string in the Ruby Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4464) It was found that ruby_parser from rubygem-ruby_parser created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to the application using ruby_parser. (CVE-2013-0162) The CVE-2013-0162 issue was discovered by Michael Scherer of the Red Hat Regional IT team. Users are advised to upgrade to Red Hat OpenShift Enterprise 1.1.1. last seen 2020-06-10 modified 2018-12-06 plugin id 119432 published 2018-12-06 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119432 title RHEL 6 : openshift (RHSA-2013:0582)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | Bugtraq ID:56115 CVE ID:CVE-2012-4522 Ruby on Rails是一款Web应用程序框架,构建在Ruby语言之上。 Ruby的文件创建函数存在安全漏洞,允许攻击者在文件路径中注入非法NUL(s)创建恶意文件。 0 Yukihiro Matsumoto Ruby 1.9.3 dev Yukihiro Matsumoto Ruby 1.9.2 RC2 Yukihiro Matsumoto Ruby 1.9.2 P180 Yukihiro Matsumoto Ruby 1.9.2 P136 Yukihiro Matsumoto Ruby 1.9.2 P0 Yukihiro Matsumoto Ruby 1.9.2 -rc1 Yukihiro Matsumoto Ruby 1.9.1 P431 Yukihiro Matsumoto Ruby 1.9.1 -p429 Yukihiro Matsumoto Ruby 1.9.1 -p376 Yukihiro Matsumoto Ruby 1.9.1 Yukihiro Matsumoto Ruby 1.9 -2 Yukihiro Matsumoto Ruby 1.9 -1 Yukihiro Matsumoto Ruby 1.9 Yukihiro Matsumoto Ruby 1.9.2 pre3 Yukihiro Matsumoto Ruby 1.9.1-p430 Yukihiro Matsumoto Ruby 1.9.1-p378 Yukihiro Matsumoto Ruby 1.9.0-3 Yukihiro Matsumoto Ruby 1.9 厂商解决方案 用户可联系厂商获得最新的版本: http://www.ruby-lang.org/ |
| id | SSV:60443 |
| last seen | 2017-11-19 |
| modified | 2012-10-23 |
| published | 2012-10-23 |
| reporter | Root |
| title | Ruby 本地文件创建漏洞(CVE-2012-4522) |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090235.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090515.html
- http://rhn.redhat.com/errata/RHSA-2013-0129.html
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37163
- http://www.openwall.com/lists/oss-security/2012/10/12/6
- http://www.openwall.com/lists/oss-security/2012/10/13/1
- http://www.openwall.com/lists/oss-security/2012/10/16/1
- http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/