Package name
ruby
Date
2008-07-09
Advisory ID
MDVSA-2008:140
Affected versions
2008.1 x86_64 , 2008.1 i586

Problem description

Multiple vulnerabilities have been found in the Ruby interpreter and
in Webrick, the webserver bundled with Ruby.

Directory traversal vulnerability in WEBrick in Ruby 1.9.0
and earlier, when using NTFS or FAT filesystems, allows remote
attackers to read arbitrary CGI files via a trailing (1) + (plus),
(2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or
(5) %20 (encoded space) character in the URI, possibly related to
the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new
functionality and the :DocumentRoot option. (CVE-2008-1891)

Multiple integer overflows in the rb_str_buf_append function in
Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before
1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2
allow context-dependent attackers to execute arbitrary code or
cause a denial of service via unknown vectors that trigger memory
corruption. (CVE-2008-2662)

Multiple integer overflows in the rb_ary_store function in Ruby
1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230,
and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to
execute arbitrary code or cause a denial of service via unknown
vectors. (CVE-2008-2663)

The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before
1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0
before 1.9.0-2 allows context-dependent attackers to trigger memory
corruption via unspecified vectors related to alloca. (CVE-2008-2664)

Integer overflow in the rb_ary_splice function in Ruby 1.8.4
and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230,
and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to
trigger memory corruption via unspecified vectors, aka the REALLOC_N
variant. (CVE-2008-2725)

Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and
earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before
1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers
to trigger memory corruption, aka the beg + rlen issue. (CVE-2008-2726)

Integer overflow in the rb_ary_fill function in array.c in Ruby before
revision 17756 allows context-dependent attackers to cause a denial
of service (crash) or possibly have unspecified other impact via a
call to the Array#fill method with a start (aka beg) argument greater
than ARY_MAX_SIZE. (CVE-2008-2376)

The updated packages have been patched to fix these issues.

Updated packages

2008.1 x86_64

 8de0e1cf1ca63db2336406dbdddf293d  2008.1/x86_64/ruby-1.8.6-9p114.1mdv2008.1.x86_64.rpm
 93a8132e84bd61ef5bc79e5833075fa2  2008.1/x86_64/ruby-devel-1.8.6-9p114.1mdv2008.1.x86_64.rpm
 0b6b2455e98dfbaf65cf91094fc3ca09  2008.1/x86_64/ruby-doc-1.8.6-9p114.1mdv2008.1.x86_64.rpm
 ca1998f680630b126d243135f765e8e2  2008.1/x86_64/ruby-tk-1.8.6-9p114.1mdv2008.1.x86_64.rpm 
 b7598818fcbe7488f1d2e65a4881aa6a  2008.1/SRPMS/ruby-1.8.6-9p114.1mdv2008.1.src.rpm

2008.1 i586

 0e1e1ae20f5896be9834c92122ca7370  2008.1/i586/ruby-1.8.6-9p114.1mdv2008.1.i586.rpm
 36d73cca1086770e7279fd1dd14e4e2f  2008.1/i586/ruby-devel-1.8.6-9p114.1mdv2008.1.i586.rpm
 587b0727fe52509778bf1848e5a83de3  2008.1/i586/ruby-doc-1.8.6-9p114.1mdv2008.1.i586.rpm
 04f6c795bc9b7e54f055e0da561ca045  2008.1/i586/ruby-tk-1.8.6-9p114.1mdv2008.1.i586.rpm 
 b7598818fcbe7488f1d2e65a4881aa6a  2008.1/SRPMS/ruby-1.8.6-9p114.1mdv2008.1.src.rpm

References