Description
A flaw was found in the way large amounts of memory were allocated on
64-bit systems when using the BigDecimal class. A context-dependent
attacker could use this flaw to cause memory corruption, causing a Ruby
application that uses the BigDecimal class to crash or, possibly, execute
arbitrary code. This issue did not affect 32-bit systems. (CVE-2011-0188)
A race condition flaw was found in the remove system entries method in the
FileUtils module. If a local user ran a Ruby script that uses this method,
a local attacker could use this flaw to delete arbitrary files and
directories accessible to that user via a symbolic link attack.
(CVE-2011-1004)
A flaw was found in the method for translating an exception message into a
string in the Exception class. A remote attacker could use this flaw to
bypass safe level 4 restrictions, allowing untrusted (tainted) code to
modify arbitrary, trusted (untainted) strings, which safe level 4
restrictions would otherwise prevent. (CVE-2011-1005)