Ubuntu has issued an advisory on October 10: http://www.ubuntu.com/usn/usn-1603-1/ Patched packages uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated ruby packages fix security vulnerabilities: Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed untainted strings to be modified in protective safe levels. An attacker could use this flaw to bypass intended access restrictions (CVE-2012-4466, CVE-2012-4481). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4481 http://www.ubuntu.com/usn/usn-1603-1/ ======================== Updated packages in core/updates_testing: ======================== ruby-1.8.7.p357-1.1.mga1 ruby-doc-1.8.7.p357-1.1.mga1 ruby-devel-1.8.7.p357-1.1.mga1 ruby-tk-1.8.7.p357-1.1.mga1 ruby-1.8.7.p358-1.1.mga2 ruby-doc-1.8.7.p358-1.1.mga2 ruby-devel-1.8.7.p358-1.1.mga2 ruby-tk-1.8.7.p358-1.1.mga2 from SRPMS: ruby-1.8.7.p357-1.1.mga1.src.rpm ruby-1.8.7.p358-1.1.mga2.src.rpm
Whiteboard: (none) => MGA1TOO
No PoC's that I can find so just checking with some simple scripts which test ruby-tk and ruby http://chmeee.dyndns.org/learntk/HelloWorld require 'tk' root = TkRoot.new() { title "Hello, world!" } Tk.mainloop() The Hello World script in irb $ irb irb(main):001:0> require 'tk' => true irb(main):002:0> root = TkRoot.new() { title "Hello, world!" } => #<Tk::Root:0x7f564f0ce188 @path="."> irb(main):003:0> Tk.mainloop() => true This opens a little window. Also a simple script.. #!/usr/bin/ruby class Total def initialize(initial_amount) @total=initial_amount end def increaseBy(increase) @total += increase end def multiplyBy(increase) @total *= increase end def setTo(amount) @total = amount end def getTotal() return @total; end def hasTotal() return @total!=nil; end end total = Total.new(0) for ss in 1..4 total.increaseBy(ss) puts total.getTotal if total.hasTotal end print "Final total: ", total.getTotal, "\n" if total.hasTotal Which outputs.. $ ruby rubytest.rb 1 3 6 10 Final total: 10 Testing complete Mageia 2 x86_64
Whiteboard: MGA1TOO => MGA1TOO mga2-64-OK
Whiteboard: MGA1TOO mga2-64-OK => MGA1TOO has_procedure mga2-64-OK
Testing complete on Mageia 2 i586 with the procedure that Claire used.
CC: (none) => ed_rus099Whiteboard: MGA1TOO has_procedure mga2-64-OK => MGA1TOO has_procedure mga2-64-OK mga2-32-OK
URL: (none) => http://lwn.net/Vulnerabilities/519492/
Testing complete mga1 32
Whiteboard: MGA1TOO has_procedure mga2-64-OK mga2-32-OK => MGA1TOO has_procedure mga2-64-OK mga2-32-OK mga1-32-OK
Testing complete mga1 64 Validating Advisory and srpms in comment 0 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO has_procedure mga2-64-OK mga2-32-OK mga1-32-OK => MGA1TOO has_procedure mga2-64-OK mga2-32-OK mga1-32-OK mga1-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0294
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
*** Bug 10845 has been marked as a duplicate of this bug. ***
CC: (none) => oe