-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:142 http://www.mandriva.com/security/ _______________________________________________________________________ Package : ruby Date : July 9, 2008 Affected: Corporate 3.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby. Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) ..%5c (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. (CVE-2008-1145) Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. (CVE-2008-2662) Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. (CVE-2008-2663) The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. (CVE-2008-2664) Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the REALLOC_N variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. (CVE-2008-2725) Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption, aka the beg + rlen issue. (CVE-2008-2726) Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. (CVE-2008-2376) The updated packages have been patched to fix these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2376 _______________________________________________________________________ Updated Packages: Corporate 3.0: 078849cb78d43bbe44aed5faba17ce36 corporate/3.0/i586/ruby-1.8.1-1.10.C30mdk.i586.rpm 0c7e275a33a125c790cd109d67ff7355 corporate/3.0/i586/ruby-devel-1.8.1-1.10.C30mdk.i586.rpm 1e30796a41e440eb9a1ca6589737bd88 corporate/3.0/i586/ruby-doc-1.8.1-1.10.C30mdk.i586.rpm 0414d9413e6d5fbed3cad3096ca1e23c corporate/3.0/i586/ruby-tk-1.8.1-1.10.C30mdk.i586.rpm c75fdfc1387b13c4fe50f929b9125516 corporate/3.0/SRPMS/ruby-1.8.1-1.10.C30mdk.src.rpm Corporate 3.0/X86_64: 4b6992996fe4d1df03c189bdd51b14bc corporate/3.0/x86_64/ruby-1.8.1-1.10.C30mdk.x86_64.rpm 475a0ee98a513a4d2aada6fdbe33ff9c corporate/3.0/x86_64/ruby-devel-1.8.1-1.10.C30mdk.x86_64.rpm 8fc454cc2d5edb758958e72ee2f92d03 corporate/3.0/x86_64/ruby-doc-1.8.1-1.10.C30mdk.x86_64.rpm dfac76704ce02fd86b5fc8e29bd8ea34 corporate/3.0/x86_64/ruby-tk-1.8.1-1.10.C30mdk.x86_64.rpm c75fdfc1387b13c4fe50f929b9125516 corporate/3.0/SRPMS/ruby-1.8.1-1.10.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIdU/HmqjQ0CJFipgRAh67AJ98tDlBvyey9EJ3hGYdB6SDUD79WwCg9oEg 3ydTGyWfa+N5DkHuJK8FxTw= =0+4d -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/