MDVSA-2008:141

Nom du paquet
ruby
Date
2008-07-09
Advisory ID
MDVSA-2008:141
Affected versions
2007.1 i586 , CS4.0 i586 , 2008.0 x86_64 , CS4.0 x86_64 , 2008.0 i586 , 2007.1 x86_64

Problem description

Multiple vulnerabilities have been found in the Ruby interpreter and
in Webrick, the webserver bundled with Ruby.

Directory traversal vulnerability in WEBrick in Ruby 1.8 before
1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on
systems that support backslash (\) path separators or case-insensitive
file names, allows remote attackers to access arbitrary files via
(1) ..%5c (encoded backslash) sequences or (2) filenames that match
patterns in the :NondisclosureName option. (CVE-2008-1145)

Directory traversal vulnerability in WEBrick in Ruby 1.9.0
and earlier, when using NTFS or FAT filesystems, allows remote
attackers to read arbitrary CGI files via a trailing (1) + (plus),
(2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or
(5) %20 (encoded space) character in the URI, possibly related to
the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new
functionality and the :DocumentRoot option. (CVE-2008-1891)

Multiple integer overflows in the rb_str_buf_append function in
Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before
1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2
allow context-dependent attackers to execute arbitrary code or
cause a denial of service via unknown vectors that trigger memory
corruption. (CVE-2008-2662)

Multiple integer overflows in the rb_ary_store function in Ruby
1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230,
and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to
execute arbitrary code or cause a denial of service via unknown
vectors. (CVE-2008-2663)

The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before
1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0
before 1.9.0-2 allows context-dependent attackers to trigger memory
corruption via unspecified vectors related to alloca. (CVE-2008-2664)

Integer overflow in the rb_ary_splice function in Ruby 1.8.4
and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230,
and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to
trigger memory corruption via unspecified vectors, aka the REALLOC_N
variant. (CVE-2008-2725)

Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and
earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before
1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers
to trigger memory corruption, aka the beg + rlen issue. (CVE-2008-2726)

Integer overflow in the rb_ary_fill function in array.c in Ruby before
revision 17756 allows context-dependent attackers to cause a denial
of service (crash) or possibly have unspecified other impact via a
call to the Array#fill method with a start (aka beg) argument greater
than ARY_MAX_SIZE. (CVE-2008-2376)

The updated packages have been patched to fix these issues.

Updated packages

2007.1 i586

 c252d5ada64ffce7573bc6e0d2184732  2007.1/i586/ruby-1.8.5-5.2mdv2007.1.i586.rpm
 7c1687d94932963aed642743b1843212  2007.1/i586/ruby-devel-1.8.5-5.2mdv2007.1.i586.rpm
 cb3097b6b931faeb143924fbee1d3a28  2007.1/i586/ruby-doc-1.8.5-5.2mdv2007.1.i586.rpm
 d29d868f062bad90621381d386472777  2007.1/i586/ruby-tk-1.8.5-5.2mdv2007.1.i586.rpm 
 33d63f4835688a0ab7581c362e75dd64  2007.1/SRPMS/ruby-1.8.5-5.2mdv2007.1.src.rpm

CS4.0 i586

 7a9604cb39058bab09a4e553c0cbc2e3  corporate/4.0/i586/ruby-1.8.2-7.7.20060mlcs4.i586.rpm
 5d900b1a9787097628a51b6c24ba4be9  corporate/4.0/i586/ruby-devel-1.8.2-7.7.20060mlcs4.i586.rpm
 b8729a0cf4552ea6a8fc611fc1104d11  corporate/4.0/i586/ruby-doc-1.8.2-7.7.20060mlcs4.i586.rpm
 c716012af6e742531fc28257f4696f4d  corporate/4.0/i586/ruby-tk-1.8.2-7.7.20060mlcs4.i586.rpm 
 c72b7dad7cb2bd7562d995da4c4e4efd  corporate/4.0/SRPMS/ruby-1.8.2-7.7.20060mlcs4.src.rpm

2008.0 x86_64

 f120c134ce4fdead8965403ccc8eb49e  2008.0/x86_64/ruby-1.8.6-5.2mdv2008.0.x86_64.rpm
 a9609b6039420c64abfb9b91d92b68bc  2008.0/x86_64/ruby-devel-1.8.6-5.2mdv2008.0.x86_64.rpm
 0e329d93db15b76812cc51b26f897604  2008.0/x86_64/ruby-doc-1.8.6-5.2mdv2008.0.x86_64.rpm
 92600aca44e77277ed4f719c123e5b90  2008.0/x86_64/ruby-tk-1.8.6-5.2mdv2008.0.x86_64.rpm 
 858395d3967c7de15b571385c197ccc4  2008.0/SRPMS/ruby-1.8.6-5.2mdv2008.0.src.rpm

CS4.0 x86_64

 13d8f1e4329d0f7dfc5572a2705f8b86  corporate/4.0/x86_64/ruby-1.8.2-7.7.20060mlcs4.x86_64.rpm
 a7d4f516f8ff886168cf6335fcad125e  corporate/4.0/x86_64/ruby-devel-1.8.2-7.7.20060mlcs4.x86_64.rpm
 4d740dd82feaba8d2e9e1488c6cf2ef9  corporate/4.0/x86_64/ruby-doc-1.8.2-7.7.20060mlcs4.x86_64.rpm
 b2de140fb31dcfbcee01134bc31489ea  corporate/4.0/x86_64/ruby-tk-1.8.2-7.7.20060mlcs4.x86_64.rpm 
 c72b7dad7cb2bd7562d995da4c4e4efd  corporate/4.0/SRPMS/ruby-1.8.2-7.7.20060mlcs4.src.rpm

2008.0 i586

 89f70e454462048226c6059b95652f25  2008.0/i586/ruby-1.8.6-5.2mdv2008.0.i586.rpm
 d57091c563b105fd9e4127ef8008867d  2008.0/i586/ruby-devel-1.8.6-5.2mdv2008.0.i586.rpm
 8a94d59110ecb0cd0a480b69ed1bf0bc  2008.0/i586/ruby-doc-1.8.6-5.2mdv2008.0.i586.rpm
 0c43f8440eb12ec9178226ac5c77aa2e  2008.0/i586/ruby-tk-1.8.6-5.2mdv2008.0.i586.rpm 
 858395d3967c7de15b571385c197ccc4  2008.0/SRPMS/ruby-1.8.6-5.2mdv2008.0.src.rpm

2007.1 x86_64

 724556ab63e935db4a9f45612058936c  2007.1/x86_64/ruby-1.8.5-5.2mdv2007.1.x86_64.rpm
 6ec3a76f976514e17fb99711e3cc68e3  2007.1/x86_64/ruby-devel-1.8.5-5.2mdv2007.1.x86_64.rpm
 5c9deb0ff0b1696e8218f5000343bfac  2007.1/x86_64/ruby-doc-1.8.5-5.2mdv2007.1.x86_64.rpm
 ec156fb4f2f8f734b4f89a9aa16a62e8  2007.1/x86_64/ruby-tk-1.8.5-5.2mdv2007.1.x86_64.rpm 
 33d63f4835688a0ab7581c362e75dd64  2007.1/SRPMS/ruby-1.8.5-5.2mdv2007.1.src.rpm

References