MDVSA-2008:142

Package name
ruby
Date
2008-07-09
Advisory ID
MDVSA-2008:142
Affected versions
CS3.0 i586 , CS3.0 x86_64

Problem description

Multiple vulnerabilities have been found in the Ruby interpreter and
in Webrick, the webserver bundled with Ruby.

Directory traversal vulnerability in WEBrick in Ruby 1.8 before
1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on
systems that support backslash (\) path separators or case-insensitive
file names, allows remote attackers to access arbitrary files via
(1) ..%5c (encoded backslash) sequences or (2) filenames that match
patterns in the :NondisclosureName option. (CVE-2008-1145)

Multiple integer overflows in the rb_str_buf_append function in
Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before
1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2
allow context-dependent attackers to execute arbitrary code or
cause a denial of service via unknown vectors that trigger memory
corruption, a different issue than CVE-2008-2663, CVE-2008-2664,
and CVE-2008-2725. (CVE-2008-2662)

Multiple integer overflows in the rb_ary_store function in Ruby
1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230,
and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to
execute arbitrary code or cause a denial of service via unknown
vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and
CVE-2008-2725. (CVE-2008-2663)

The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before
1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0
before 1.9.0-2 allows context-dependent attackers to trigger memory
corruption via unspecified vectors related to alloca, a different issue
than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. (CVE-2008-2664)

Integer overflow in the rb_ary_splice function in Ruby 1.8.4
and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230,
and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to
trigger memory corruption via unspecified vectors, aka the REALLOC_N
variant, a different issue than CVE-2008-2662, CVE-2008-2663, and
CVE-2008-2664. (CVE-2008-2725)

Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and
earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before
1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers
to trigger memory corruption, aka the beg + rlen issue. (CVE-2008-2726)

Integer overflow in the rb_ary_fill function in array.c in Ruby before
revision 17756 allows context-dependent attackers to cause a denial
of service (crash) or possibly have unspecified other impact via a
call to the Array#fill method with a start (aka beg) argument greater
than ARY_MAX_SIZE. (CVE-2008-2376)

The updated packages have been patched to fix these issues.

Updated packages

CS3.0 i586

 078849cb78d43bbe44aed5faba17ce36  corporate/3.0/i586/ruby-1.8.1-1.10.C30mdk.i586.rpm
 0c7e275a33a125c790cd109d67ff7355  corporate/3.0/i586/ruby-devel-1.8.1-1.10.C30mdk.i586.rpm
 1e30796a41e440eb9a1ca6589737bd88  corporate/3.0/i586/ruby-doc-1.8.1-1.10.C30mdk.i586.rpm
 0414d9413e6d5fbed3cad3096ca1e23c  corporate/3.0/i586/ruby-tk-1.8.1-1.10.C30mdk.i586.rpm 
 c75fdfc1387b13c4fe50f929b9125516  corporate/3.0/SRPMS/ruby-1.8.1-1.10.C30mdk.src.rpm

CS3.0 x86_64

 4b6992996fe4d1df03c189bdd51b14bc  corporate/3.0/x86_64/ruby-1.8.1-1.10.C30mdk.x86_64.rpm
 475a0ee98a513a4d2aada6fdbe33ff9c  corporate/3.0/x86_64/ruby-devel-1.8.1-1.10.C30mdk.x86_64.rpm
 8fc454cc2d5edb758958e72ee2f92d03  corporate/3.0/x86_64/ruby-doc-1.8.1-1.10.C30mdk.x86_64.rpm
 dfac76704ce02fd86b5fc8e29bd8ea34  corporate/3.0/x86_64/ruby-tk-1.8.1-1.10.C30mdk.x86_64.rpm 
 c75fdfc1387b13c4fe50f929b9125516  corporate/3.0/SRPMS/ruby-1.8.1-1.10.C30mdk.src.rpm

References