What Are You Looking For?

Sign Up
Date:         Tue, 15 Jul 2008 15:57:00 -0500
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA for ruby on SL3.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Moderate: ruby security update
Issue date:	2008-07-14
CVE Names:	CVE-2008-2663 CVE-2008-2664 CVE-2008-2725
                 CVE-2008-2726 CVE-2006-6303 CVE-2008-2376

Multiple integer overflows leading to a heap overflow were discovered in
the array- and string-handling code used by Ruby. An attacker could use
these flaws to crash a Ruby application or, possibly, execute arbitrary
code with the privileges of the Ruby application using untrusted inputs in
array or string operations. (CVE-2008-2376, CVE-2008-2663, CVE-2008-2725,
CVE-2008-2726)

It was discovered that Ruby used the alloca() memory allocation function in
the format (%) method of the String class without properly restricting
maximum string length. An attacker could use this flaw to crash a Ruby
application or, possibly, execute arbitrary code with the privileges of the
Ruby application using long, untrusted strings as format strings.
(CVE-2008-2664)

A flaw was discovered in the way Ruby's CGI module handles certain HTTP
requests. A remote attacker could send a specially crafted request and
cause the Ruby CGI script to enter an infinite loop, possibly causing a
denial of service. (CVE-2006-6303)

SL 3.0.x

     SRPMS:
ruby-1.6.8-12.el3.src.rpm
     i386:
ruby-1.6.8-12.el3.i386.rpm
ruby-devel-1.6.8-12.el3.i386.rpm
ruby-docs-1.6.8-12.el3.i386.rpm
ruby-libs-1.6.8-12.el3.i386.rpm
ruby-mode-1.6.8-12.el3.i386.rpm
ruby-tcltk-1.6.8-12.el3.i386.rpm
irb-1.6.8-12.el3.i386.rpm
     x86_64:
ruby-1.6.8-12.el3.x86_64.rpm
ruby-devel-1.6.8-12.el3.x86_64.rpm
ruby-docs-1.6.8-12.el3.x86_64.rpm
ruby-libs-1.6.8-12.el3.i386.rpm
ruby-libs-1.6.8-12.el3.x86_64.rpm
ruby-mode-1.6.8-12.el3.x86_64.rpm
ruby-tcltk-1.6.8-12.el3.x86_64.rpm
irb-1.6.8-12.el3.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2008-2663 ruby SL3.x i386/x86_64

Moderate: ruby security update

Summary

Date:         Tue, 15 Jul 2008 15:57:00 -0500Reply-To:     Troy Dawson Sender:       Security Errata for Scientific Linux              From:         Troy Dawson Subject:      Security ERRATA for ruby on SL3.x i386/x86_64Comments: To: "scientific-linux-errata@fnal.gov"          Synopsis:	Moderate: ruby security updateIssue date:	2008-07-14CVE Names:	CVE-2008-2663 CVE-2008-2664 CVE-2008-2725                 CVE-2008-2726 CVE-2006-6303 CVE-2008-2376Multiple integer overflows leading to a heap overflow were discovered inthe array- and string-handling code used by Ruby. An attacker could usethese flaws to crash a Ruby application or, possibly, execute arbitrarycode with the privileges of the Ruby application using untrusted inputs inarray or string operations. (CVE-2008-2376, CVE-2008-2663, CVE-2008-2725,CVE-2008-2726)It was discovered that Ruby used the alloca() memory allocation function inthe format (%) method of the String class without properly restrictingmaximum string length. An attacker could use this flaw to crash a Rubyapplication or, possibly, execute arbitrary code with the privileges of theRuby application using long, untrusted strings as format strings.(CVE-2008-2664)A flaw was discovered in the way Ruby's CGI module handles certain HTTPrequests. A remote attacker could send a specially crafted request andcause the Ruby CGI script to enter an infinite loop, possibly causing adenial of service. (CVE-2006-6303)SL 3.0.x     SRPMS:ruby-1.6.8-12.el3.src.rpm     i386:ruby-1.6.8-12.el3.i386.rpmruby-devel-1.6.8-12.el3.i386.rpmruby-docs-1.6.8-12.el3.i386.rpmruby-libs-1.6.8-12.el3.i386.rpmruby-mode-1.6.8-12.el3.i386.rpmruby-tcltk-1.6.8-12.el3.i386.rpmirb-1.6.8-12.el3.i386.rpm     x86_64:ruby-1.6.8-12.el3.x86_64.rpmruby-devel-1.6.8-12.el3.x86_64.rpmruby-docs-1.6.8-12.el3.x86_64.rpmruby-libs-1.6.8-12.el3.i386.rpmruby-libs-1.6.8-12.el3.x86_64.rpmruby-mode-1.6.8-12.el3.x86_64.rpmruby-tcltk-1.6.8-12.el3.x86_64.rpmirb-1.6.8-12.el3.x86_64.rpm-Connie Sieh-Troy Dawson



Security Fixes

Severity

Related News

Krasue RAT Malware Hides on Linux Servers Using Embedded Rootkits

Dec 7, 2023

Kali vs. ParrotOS: 2 Versatile Linux Distros for Security Pros

Dec 9, 2023

Kali Linux 2023.4 Released With New Hacking Tools

Dec 6, 2023

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

Dec 2, 2023

News

Advisories

HOWTOs

Features

Password Guessing as an Attack Vector
Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management

About Us

Powered By

Footer Logo