what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2008-140

Mandriva Linux Security Advisory 2008-140
Posted Jul 10, 2008
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory - Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby. Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3). (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption. Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors. The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca. Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the REALLOC_N variant. Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption, aka the beg + rlen issue. Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. The updated packages have been patched to fix these issues.

tags | advisory, remote, denial of service, overflow, arbitrary, cgi, vulnerability, ruby
systems | linux, mandriva
advisories | CVE-2008-1891, CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, CVE-2008-2726, CVE-2008-2376
SHA-256 | a45de104c2cf46c98f8bf06ce63ea70dcc48916c7e9698d75ab39967a6fc8914

Mandriva Linux Security Advisory 2008-140

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2008:140
http://www.mandriva.com/security/
_______________________________________________________________________

Package : ruby
Date : July 9, 2008
Affected: 2008.1
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities have been found in the Ruby interpreter and
in Webrick, the webserver bundled with Ruby.

Directory traversal vulnerability in WEBrick in Ruby 1.9.0
and earlier, when using NTFS or FAT filesystems, allows remote
attackers to read arbitrary CGI files via a trailing (1) + (plus),
(2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or
(5) %20 (encoded space) character in the URI, possibly related to
the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new
functionality and the :DocumentRoot option. (CVE-2008-1891)

Multiple integer overflows in the rb_str_buf_append function in
Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before
1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2
allow context-dependent attackers to execute arbitrary code or
cause a denial of service via unknown vectors that trigger memory
corruption. (CVE-2008-2662)

Multiple integer overflows in the rb_ary_store function in Ruby
1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230,
and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to
execute arbitrary code or cause a denial of service via unknown
vectors. (CVE-2008-2663)

The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before
1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0
before 1.9.0-2 allows context-dependent attackers to trigger memory
corruption via unspecified vectors related to alloca. (CVE-2008-2664)

Integer overflow in the rb_ary_splice function in Ruby 1.8.4
and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230,
and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to
trigger memory corruption via unspecified vectors, aka the REALLOC_N
variant. (CVE-2008-2725)

Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and
earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before
1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers
to trigger memory corruption, aka the beg + rlen issue. (CVE-2008-2726)

Integer overflow in the rb_ary_fill function in array.c in Ruby before
revision 17756 allows context-dependent attackers to cause a denial
of service (crash) or possibly have unspecified other impact via a
call to the Array#fill method with a start (aka beg) argument greater
than ARY_MAX_SIZE. (CVE-2008-2376)

The updated packages have been patched to fix these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2376
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.1:
0e1e1ae20f5896be9834c92122ca7370 2008.1/i586/ruby-1.8.6-9p114.1mdv2008.1.i586.rpm
36d73cca1086770e7279fd1dd14e4e2f 2008.1/i586/ruby-devel-1.8.6-9p114.1mdv2008.1.i586.rpm
587b0727fe52509778bf1848e5a83de3 2008.1/i586/ruby-doc-1.8.6-9p114.1mdv2008.1.i586.rpm
04f6c795bc9b7e54f055e0da561ca045 2008.1/i586/ruby-tk-1.8.6-9p114.1mdv2008.1.i586.rpm
b7598818fcbe7488f1d2e65a4881aa6a 2008.1/SRPMS/ruby-1.8.6-9p114.1mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64:
8de0e1cf1ca63db2336406dbdddf293d 2008.1/x86_64/ruby-1.8.6-9p114.1mdv2008.1.x86_64.rpm
93a8132e84bd61ef5bc79e5833075fa2 2008.1/x86_64/ruby-devel-1.8.6-9p114.1mdv2008.1.x86_64.rpm
0b6b2455e98dfbaf65cf91094fc3ca09 2008.1/x86_64/ruby-doc-1.8.6-9p114.1mdv2008.1.x86_64.rpm
ca1998f680630b126d243135f765e8e2 2008.1/x86_64/ruby-tk-1.8.6-9p114.1mdv2008.1.x86_64.rpm
b7598818fcbe7488f1d2e65a4881aa6a 2008.1/SRPMS/ruby-1.8.6-9p114.1mdv2008.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIdT7dmqjQ0CJFipgRAqx2AKDVcwjVj0MG/KrpovmuN0lr80ji6gCginyN
XY+EoayKcK8xfkVCiuDdk40=
=4hYe
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close