SuSE 11.2 Security Update : ruby (SAT Patch Number 7386)
Medium Nessus Plugin ID 65248
The remote SuSE 11 host is missing one or more security updates.
The ruby interpreter received a fix for a security issue : - Ruby's $SAFE mechanism enables untrusted user codes to run in $SAFE >= 4 mode. This is a kind of sandboxing so some operations are restricted in that mode to protect other data outside the sandbox. (CVE-2012-4466) The problem found was around this mechanism. Exception#to_s, NameError#to_s, and name_err_mesg_to_s() interpreter-internal API was not correctly handling the $SAFE bits so a String object which is not tainted can destructively be marked as tainted using them. By using this an untrusted code in a sandbox can modify a formerly-untainted string destructively. http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-446 4-cve-2012-4466/