Ruby vulnerability in the safe level settings

The Ruby versions listed below have a vulnerability that allows an arbitrary code to run bypassing the safe level check.

Date published: 2005-10-02
Versions affected:
  Stable releases(1.8.x) - Versions 1.8.2 and earlier (fixed on Version 1.8.3)
  Old releases(1.6.x) - Versions 1.6.8 and earlier
  Development versions(1.9.0) - Versions 2005-09-01 and earlier (fixed on Version 2005-09-02)

Solution:

Users of stable releases (1.8.x) and development versions (1.9.0) should update Ruby to the latest versions listed above. Users of old releases (1.6.x) should update to the stable releases (1.8.x) or download the latest snapshot for 1.6.x from the URL below, build, and install.

ftp://ftp.ruby-lang.org/pub/ruby/snapshot-1.6.tar.gz

A patch from ruby-1.6.8.tar.gz is also provided at the following location:

ftp://ftp.ruby-lang.org/pub/ruby/1.6/1.6.8-patch1.gz

md5sum: 7a97381d61576e68aec94d60bc4cbbab

A patch from ruby-1.8.2.tar.gz is also provided at the following location:

ftp://ftp.ruby-lang.org/pub/ruby/1.8/1.8.2-patch1.gz

md5sum: 4f32bae4546421a20a9211253da103d3

Description:

The Object Oriented Scripting Language Ruby supports safely executing an untrusted code with two mechanisms: safe level and taint flag on objects. A vulnerability has been found that allows bypassing these mechanisms. By using the vulnerability, arbitrary code can be executed beyond the restrictions specified in each safe level. Therefore, Ruby has to be updated on all systems that use safe level to execute untrusted code.

Reference:

JVN#62914675 http://jvn.jp/jp/JVN%2362914675/index.html (in Japanese)

Acknowledgment:

We thank Dr. Yutaka Oiwa, Research Center for Information Security, National Institute of Advanced Industrial Science and Technology, who found the vulnerability that allows bypassing safe level.