Multiple vulnerabilities in Ruby - safe level and dl tainting
The Ruby developers have recommended that users upgrade to the latest version of Ruby after vulnerabilities were found in Ruby's handling of safe levels and tainting, features designed to help manage Ruby security.
Safe levels are a mechanism which allows the developer to set a
$SAFE variable to a value that, the higher it is, the less unsafe actions a program can take. Keita Yamaguchi found that a number of unsafe operations were possible at inappropriate levels, for example, being able to change the
$PROGRAM_NAME at safe level 4, the highest safe level.
Another major vulnerability, credited to sheepman, is that the dl dynamic library module does not check taintness of variables handed to it, opening a possibility that system level calls could be compromised.
In the advisory, the Ruby developers also noted a Denial of Service vulnerability in the WEBrick HTTP server, found by Christian Neukirchen, and a DNS spoofing vulnerability in resolv.rb, identified by Tanaka Akira, exposing Ruby applications to the DNS poisoning attack.
The versions affected are 1.8.5, 1.8.6-p286, 1.8.7-p71, 1.9 r18423 and all releases prior to them.