Martin Schulze wrote: > - -------------------------------------------------------------------------- > Debian Security Advisory DSA 860-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > October 11th, 2005 http://www.debian.org/security/faq > - -------------------------------------------------------------------------- > > Package : ruby > Vulnerability : programming error > Problem type : local > Debian-specific: no > CVE ID : CAN-2005-2337 > CERT advisory : VU#160012 > Debian Bug : 332742 > > Yutaka Oiwa discovered a bug in Ruby, the interpreter for the > object-oriented scripting language, that can cause illegal program > code to bypass the safe level and taint flag protections check and be > executed. The following matrix lists the fixed versions in our > distributions:
This explanation is not correct. According to explanation in Japanese original vulnarability report (http://www.ipa.go.jp/security/vuln/documents/2005/JVN_62914675_Ruby.html) and JVN report (http://jvn.jp/jp/JVN%2362914675/index.html), only "safe level" feature is bypassed, not taint flag controls. Since description in www.ruby-lang.org has confusing explanation maybe due to mistranslation :-), but explanation in US-CERT is more appropriate for this bug. -- Seiji Kaneko [EMAIL PROTECTED] ---------------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
