FreeBSD : ruby -- Unintentional file creation caused by inserting an illegal NUL character (3decc87d-2498-11e2-b0c7-000d601460a4)
Medium Nessus Plugin ID 62792
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionThe official ruby site reports :
A vulnerability was found that file creation routines can create unintended files by strategically inserting NUL(s) in file paths. This vulnerability has been reported as CVE-2012-4522.
Ruby can handle arbitrary binary patterns as Strings, including NUL chars. On the other hand OSes and other libraries tend not. They usually treat a NUL as an End of String mark. So to interface them with Ruby, NUL chars should properly be avoided.
However methods like IO#open did not check the filename passed to them, and just passed those strings to lower layer routines. This led to create unintentional files.
SolutionUpdate the affected package.