CVE-2013-2065 | Vulnerability Database | Aqua Security

(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.

Affected Software

Name	Vendor	Start Version	End Version
Opensuse	Opensuse	12.2 (including)	12.2 (including)
Opensuse	Opensuse	12.3 (including)	12.3 (including)
Ruby1.8	Ubuntu	lucid	*
Ruby1.9.1	Ubuntu	lucid	*
Ruby1.9.1	Ubuntu	precise	*
Ruby1.9.1	Ubuntu	quantal	*
Ruby1.9.1	Ubuntu	raring	*
Ruby1.9.1	Ubuntu	saucy	*
Ruby1.9.1	Ubuntu	upstream	*
Ruby2.0	Ubuntu	upstream	*

References

http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107064.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107098.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107120.html
http://lists.opensuse.org/opensuse-updates/2013-10/msg00057.html
http://www.ubuntu.com/usn/USN-2035-1
https://puppet.com/security/cve/cve-2013-2065
https://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107064.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107098.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107120.html
http://lists.opensuse.org/opensuse-updates/2013-10/msg00057.html
http://www.ubuntu.com/usn/USN-2035-1
https://puppet.com/security/cve/cve-2013-2065
https://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-2065
CWE	https://cwe.mitre.org/data/definitions/264.html