Package name
ruby
Date
2011-05-23
Advisory ID
MDVSA-2011:098
Affected versions
CS4.0 x86_64 , CS4.0 i586

Problem description

Multiple vulnerabilities have been identified and fixed in ruby:

Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server
in Ruby allows remote attackers to inject arbitrary web script or HTML
via a crafted URI that triggers a UTF-7 error page (CVE-2010-0541).

The safe-level feature in Ruby allows context-dependent attackers
to modify strings via the Exception#to_s method, as demonstrated by
changing an intended pathname (CVE-2011-1005).

The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
Ruby does not properly allocate memory, which allows context-dependent
attackers to execute arbitrary code or cause a denial of service
(application crash) via vectors involving creation of a large
BigDecimal value within a 64-bit process, related to an integer
truncation issue. (CVE-2011-0188).

The updated packages have been patched to correct this issue.

Updated packages

CS4.0 x86_64

 6ebbbe7111ed2f782a74e53d7852e9a7  corporate/4.0/x86_64/ruby-1.8.2-7.12.20060mlcs4.x86_64.rpm
 9f41b5f45c53d4415b26a86e50abbdfc  corporate/4.0/x86_64/ruby-devel-1.8.2-7.12.20060mlcs4.x86_64.rpm
 da424c6a5b676ab74a5eb88a945817ac  corporate/4.0/x86_64/ruby-doc-1.8.2-7.12.20060mlcs4.x86_64.rpm
 05be0c747d5fe9e18846c71c94f544b2  corporate/4.0/x86_64/ruby-tk-1.8.2-7.12.20060mlcs4.x86_64.rpm 
 c47e659878782a2142d0aa895948cbdd  corporate/4.0/SRPMS/ruby-1.8.2-7.12.20060mlcs4.src.rpm

CS4.0 i586

 dfeb0f9357da8745785c0982b0712ce9  corporate/4.0/i586/ruby-1.8.2-7.12.20060mlcs4.i586.rpm
 8f5e2bac1144b743427b0ec86e9d0bdc  corporate/4.0/i586/ruby-devel-1.8.2-7.12.20060mlcs4.i586.rpm
 0fe11def9c0d08c8be547b673382ab13  corporate/4.0/i586/ruby-doc-1.8.2-7.12.20060mlcs4.i586.rpm
 71ef95ff361bded75e12ee0a43d76801  corporate/4.0/i586/ruby-tk-1.8.2-7.12.20060mlcs4.i586.rpm 
 c47e659878782a2142d0aa895948cbdd  corporate/4.0/SRPMS/ruby-1.8.2-7.12.20060mlcs4.src.rpm

References