Two security fixes have been released for Ruby today. The first vulnerability affects the FileUtils.remove_entry_secure method which allowed local users to delete arbitrary files and directories. The second one affects the $SAFE level.
This affects Ruby versions 1.8.6 (420), 1.8.7 (330), 1.9.1 (430), 1.9.2 (136) and the development versions. The problem has been fixed and is available for download.
This affects only 1.8 Ruby versions. Exception#to_s method can be used to trick $SAFE check, which makes a untrusted codes to modify arbitrary strings. The variable
$SAFE determines Ruby’s level of paranoia. This problem has also been fixed.