What Are You Looking For?

Sign Up
Date:         Mon, 14 Jul 2008 14:56:44 -0500
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA for ruby on SL4.x, SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Moderate: ruby security update
Issue date:	2008-07-14
CVE Names:	CVE-2008-2662 CVE-2008-2663 CVE-2008-2664
                 CVE-2008-2725 CVE-2008-2726 CVE-2008-2376

Multiple integer overflows leading to a heap overflow were discovered in
the array- and string-handling code used by Ruby. An attacker could use
these flaws to crash a Ruby application or, possibly, execute arbitrary
code with the privileges of the Ruby application using untrusted inputs in
array or string operations. (CVE-2008-2376, CVE-2008-2662, CVE-2008-2663,
CVE-2008-2725, CVE-2008-2726)

It was discovered that Ruby used the alloca() memory allocation function in
the format (%) method of the String class without properly restricting
maximum string length. An attacker could use this flaw to crash a Ruby
application or, possibly, execute arbitrary code with the privileges of the
Ruby application using long, untrusted strings as format strings.
(CVE-2008-2664)

SL 4.x

     SRPMS:
ruby-1.8.1-7.el4_6.1.src.rpm
     i386:
irb-1.8.1-7.el4_6.1.i386.rpm
ruby-1.8.1-7.el4_6.1.i386.rpm
ruby-devel-1.8.1-7.el4_6.1.i386.rpm
ruby-docs-1.8.1-7.el4_6.1.i386.rpm
ruby-libs-1.8.1-7.el4_6.1.i386.rpm
ruby-mode-1.8.1-7.el4_6.1.i386.rpm
ruby-tcltk-1.8.1-7.el4_6.1.i386.rpm
     x86_64:
irb-1.8.1-7.el4_6.1.x86_64.rpm
ruby-1.8.1-7.el4_6.1.x86_64.rpm
ruby-devel-1.8.1-7.el4_6.1.x86_64.rpm
ruby-docs-1.8.1-7.el4_6.1.x86_64.rpm
ruby-libs-1.8.1-7.el4_6.1.i386.rpm
ruby-libs-1.8.1-7.el4_6.1.x86_64.rpm
ruby-mode-1.8.1-7.el4_6.1.x86_64.rpm
ruby-tcltk-1.8.1-7.el4_6.1.x86_64.rpm

SL 5.x

     SRPMS:
ruby-1.8.5-5.el5_2.3.src.rpm
     i386:
ruby-1.8.5-5.el5_2.3.i386.rpm
ruby-devel-1.8.5-5.el5_2.3.i386.rpm
ruby-docs-1.8.5-5.el5_2.3.i386.rpm
ruby-irb-1.8.5-5.el5_2.3.i386.rpm
ruby-libs-1.8.5-5.el5_2.3.i386.rpm
ruby-mode-1.8.5-5.el5_2.3.i386.rpm
ruby-rdoc-1.8.5-5.el5_2.3.i386.rpm
ruby-ri-1.8.5-5.el5_2.3.i386.rpm
ruby-tcltk-1.8.5-5.el5_2.3.i386.rpm
     x86_64:
ruby-1.8.5-5.el5_2.3.x86_64.rpm
ruby-devel-1.8.5-5.el5_2.3.i386.rpm
ruby-devel-1.8.5-5.el5_2.3.x86_64.rpm
ruby-docs-1.8.5-5.el5_2.3.x86_64.rpm
ruby-irb-1.8.5-5.el5_2.3.x86_64.rpm
ruby-libs-1.8.5-5.el5_2.3.i386.rpm
ruby-libs-1.8.5-5.el5_2.3.x86_64.rpm
ruby-mode-1.8.5-5.el5_2.3.x86_64.rpm
ruby-rdoc-1.8.5-5.el5_2.3.x86_64.rpm
ruby-ri-1.8.5-5.el5_2.3.x86_64.rpm
ruby-tcltk-1.8.5-5.el5_2.3.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2008-2662 ruby SL4.x, SL5.x i386/x86_64

Moderate: ruby security update

Summary

Date:         Mon, 14 Jul 2008 14:56:44 -0500Reply-To:     Troy Dawson Sender:       Security Errata for Scientific Linux              From:         Troy Dawson Subject:      Security ERRATA for ruby on SL4.x, SL5.x i386/x86_64Comments: To: "scientific-linux-errata@fnal.gov"          Synopsis:	Moderate: ruby security updateIssue date:	2008-07-14CVE Names:	CVE-2008-2662 CVE-2008-2663 CVE-2008-2664                 CVE-2008-2725 CVE-2008-2726 CVE-2008-2376Multiple integer overflows leading to a heap overflow were discovered inthe array- and string-handling code used by Ruby. An attacker could usethese flaws to crash a Ruby application or, possibly, execute arbitrarycode with the privileges of the Ruby application using untrusted inputs inarray or string operations. (CVE-2008-2376, CVE-2008-2662, CVE-2008-2663,CVE-2008-2725, CVE-2008-2726)It was discovered that Ruby used the alloca() memory allocation function inthe format (%) method of the String class without properly restrictingmaximum string length. An attacker could use this flaw to crash a Rubyapplication or, possibly, execute arbitrary code with the privileges of theRuby application using long, untrusted strings as format strings.(CVE-2008-2664)SL 4.x     SRPMS:ruby-1.8.1-7.el4_6.1.src.rpm     i386:irb-1.8.1-7.el4_6.1.i386.rpmruby-1.8.1-7.el4_6.1.i386.rpmruby-devel-1.8.1-7.el4_6.1.i386.rpmruby-docs-1.8.1-7.el4_6.1.i386.rpmruby-libs-1.8.1-7.el4_6.1.i386.rpmruby-mode-1.8.1-7.el4_6.1.i386.rpmruby-tcltk-1.8.1-7.el4_6.1.i386.rpm     x86_64:irb-1.8.1-7.el4_6.1.x86_64.rpmruby-1.8.1-7.el4_6.1.x86_64.rpmruby-devel-1.8.1-7.el4_6.1.x86_64.rpmruby-docs-1.8.1-7.el4_6.1.x86_64.rpmruby-libs-1.8.1-7.el4_6.1.i386.rpmruby-libs-1.8.1-7.el4_6.1.x86_64.rpmruby-mode-1.8.1-7.el4_6.1.x86_64.rpmruby-tcltk-1.8.1-7.el4_6.1.x86_64.rpmSL 5.x     SRPMS:ruby-1.8.5-5.el5_2.3.src.rpm     i386:ruby-1.8.5-5.el5_2.3.i386.rpmruby-devel-1.8.5-5.el5_2.3.i386.rpmruby-docs-1.8.5-5.el5_2.3.i386.rpmruby-irb-1.8.5-5.el5_2.3.i386.rpmruby-libs-1.8.5-5.el5_2.3.i386.rpmruby-mode-1.8.5-5.el5_2.3.i386.rpmruby-rdoc-1.8.5-5.el5_2.3.i386.rpmruby-ri-1.8.5-5.el5_2.3.i386.rpmruby-tcltk-1.8.5-5.el5_2.3.i386.rpm     x86_64:ruby-1.8.5-5.el5_2.3.x86_64.rpmruby-devel-1.8.5-5.el5_2.3.i386.rpmruby-devel-1.8.5-5.el5_2.3.x86_64.rpmruby-docs-1.8.5-5.el5_2.3.x86_64.rpmruby-irb-1.8.5-5.el5_2.3.x86_64.rpmruby-libs-1.8.5-5.el5_2.3.i386.rpmruby-libs-1.8.5-5.el5_2.3.x86_64.rpmruby-mode-1.8.5-5.el5_2.3.x86_64.rpmruby-rdoc-1.8.5-5.el5_2.3.x86_64.rpmruby-ri-1.8.5-5.el5_2.3.x86_64.rpmruby-tcltk-1.8.5-5.el5_2.3.x86_64.rpm-Connie Sieh-Troy Dawson



Security Fixes

Severity

Related News

Krasue RAT Malware Hides on Linux Servers Using Embedded Rootkits

Dec 7, 2023

Kali vs. ParrotOS: 2 Versatile Linux Distros for Security Pros

Dec 9, 2023

Kali Linux 2023.4 Released With New Hacking Tools

Dec 6, 2023

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

Dec 2, 2023

News

Advisories

HOWTOs

Features

Password Guessing as an Attack Vector
Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management

About Us

Powered By

Footer Logo