Mandriva Linux Security Advisory 2011-098 - Cross-site scripting vulnerability in the WEBrick HTTP server in Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page. The safe-level feature in Ruby allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an integer truncation issue. The updated packages have been patched to correct this issue.
c941433f0af830382d2f5cef03846e0594fa90093d37e8faa51dbc590703d07c