MDVSA-2011:097

Nom du paquet

ruby

Date

2011-05-23

Advisory ID

MDVSA-2011:097

Affected versions

2009.0 x86_64 , MES5 i586 , 2010.1 i586 , 2009.0 i586 , MES5 x86_64 , 2010.1 x86_64

Problem description

Multiple vulnerabilities have been identified and fixed in ruby:

Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server
in Ruby allows remote attackers to inject arbitrary web script or HTML
via a crafted URI that triggers a UTF-7 error page (CVE-2010-0541).

The FileUtils.remove_entry_secure method in Ruby allows local users
to delete arbitrary files via a symlink attack (CVE-2011-1004).

The safe-level feature in Ruby allows context-dependent attackers
to modify strings via the Exception#to_s method, as demonstrated by
changing an intended pathname (CVE-2011-1005).

The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
Ruby does not properly allocate memory, which allows context-dependent
attackers to execute arbitrary code or cause a denial of service
(application crash) via vectors involving creation of a large
BigDecimal value within a 64-bit process, related to an integer
truncation issue. (CVE-2011-0188).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

Updated packages

2009.0 x86_64

 68a7d27517f1848f660418aa584eb3da  2009.0/x86_64/ruby-1.8.7-7p72.4mdv2009.0.x86_64.rpm
 19749daa6bf45dc43daa4561f107134c  2009.0/x86_64/ruby-devel-1.8.7-7p72.4mdv2009.0.x86_64.rpm
 68fb72ae12ba5ceadcc22434e13b4db1  2009.0/x86_64/ruby-doc-1.8.7-7p72.4mdv2009.0.x86_64.rpm
 9f0f091ffb3f1fc1418f765b974d93da  2009.0/x86_64/ruby-tk-1.8.7-7p72.4mdv2009.0.x86_64.rpm 
 fbe12ae1b2026227568007c26c3bc0c4  2009.0/SRPMS/ruby-1.8.7-7p72.4mdv2009.0.src.rpm

MES5 i586

 d07c49b37323079332997e866458ae9d  mes5/i586/ruby-1.8.7-7p72.4mdvmes5.2.i586.rpm
 5f7223ff9adf5efabaea360e5b18aadf  mes5/i586/ruby-devel-1.8.7-7p72.4mdvmes5.2.i586.rpm
 43901d6c806fa7233a6f5523e8f50390  mes5/i586/ruby-doc-1.8.7-7p72.4mdvmes5.2.i586.rpm
 350d1f6430aecfc3f2273faa2ccbb780  mes5/i586/ruby-tk-1.8.7-7p72.4mdvmes5.2.i586.rpm 
 45603b65b4f80c8e1858bbc84daf4494  mes5/SRPMS/ruby-1.8.7-7p72.4mdvmes5.2.src.rpm

2010.1 i586

 ddeaf58e58815fe6cc74655d622543af  2010.1/i586/ruby-1.8.7.p249-4.1mdv2010.2.i586.rpm
 6f18aaa77d93fcddbb98e12e5e829b2b  2010.1/i586/ruby-devel-1.8.7.p249-4.1mdv2010.2.i586.rpm
 5f23410b06cb0c11483ad0944511521c  2010.1/i586/ruby-doc-1.8.7.p249-4.1mdv2010.2.i586.rpm
 8cfeb511b56f105eb9c4f76be8255e65  2010.1/i586/ruby-tk-1.8.7.p249-4.1mdv2010.2.i586.rpm 
 26ba24fef0f0c25c1906479c4711e095  2010.1/SRPMS/ruby-1.8.7.p249-4.1mdv2010.2.src.rpm

2009.0 i586

 c066384f71562d23b04e4f37e06cd167  2009.0/i586/ruby-1.8.7-7p72.4mdv2009.0.i586.rpm
 663d190c3a9040a5e1f63d3c3ff48ba1  2009.0/i586/ruby-devel-1.8.7-7p72.4mdv2009.0.i586.rpm
 beb5b53b8d66028329b8e1884aa18c90  2009.0/i586/ruby-doc-1.8.7-7p72.4mdv2009.0.i586.rpm
 38bea5030db5e2d25f6348ef15150486  2009.0/i586/ruby-tk-1.8.7-7p72.4mdv2009.0.i586.rpm 
 fbe12ae1b2026227568007c26c3bc0c4  2009.0/SRPMS/ruby-1.8.7-7p72.4mdv2009.0.src.rpm

MES5 x86_64

 c6c7bd10892509e91ce007670cfaa22f  mes5/x86_64/ruby-1.8.7-7p72.4mdvmes5.2.x86_64.rpm
 3bb3451b8ed9ab86b10ef43a090d362e  mes5/x86_64/ruby-devel-1.8.7-7p72.4mdvmes5.2.x86_64.rpm
 dff5787e4172ea0941033b596293c08f  mes5/x86_64/ruby-doc-1.8.7-7p72.4mdvmes5.2.x86_64.rpm
 2c8951924ef6f80d1ca887f82f8deb47  mes5/x86_64/ruby-tk-1.8.7-7p72.4mdvmes5.2.x86_64.rpm 
 45603b65b4f80c8e1858bbc84daf4494  mes5/SRPMS/ruby-1.8.7-7p72.4mdvmes5.2.src.rpm

2010.1 x86_64

 9ce41813fa1b4c75c2427fd605127e0b  2010.1/x86_64/ruby-1.8.7.p249-4.1mdv2010.2.x86_64.rpm
 c20daba0703471c7a6131410ecad9ad6  2010.1/x86_64/ruby-devel-1.8.7.p249-4.1mdv2010.2.x86_64.rpm
 1d87d641bb55721b342a8c1d94483146  2010.1/x86_64/ruby-doc-1.8.7.p249-4.1mdv2010.2.x86_64.rpm
 307294ebb3e8fd4b4c56553c69f5c4d2  2010.1/x86_64/ruby-tk-1.8.7.p249-4.1mdv2010.2.x86_64.rpm 
 26ba24fef0f0c25c1906479c4711e095  2010.1/SRPMS/ruby-1.8.7.p249-4.1mdv2010.2.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0188
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1005
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1004
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0541