Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Tobias Heinlein <keytoaster@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200812-17 ] Ruby: Multiple vulnerabilities
Date: Tue, 16 Dec 2008 20:42:01
Message-Id: 4948116E.7040306@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200812-17
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Ruby: Multiple vulnerabilities
9 Date: December 16, 2008
10 Bugs: #225465, #236060
11 ID: 200812-17
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been discovered in Ruby that allow for
19 attacks including arbitrary code execution and Denial of Service.
20
21 Background
22 ==========
23
24 Ruby is an interpreted object-oriented programming language. The
25 elaborate standard library includes an HTTP server ("WEBRick") and a
26 class for XML parsing ("REXML").
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-lang/ruby < 1.8.6_p287-r1 >= 1.8.6_p287-r1
35
36 Description
37 ===========
38
39 Multiple vulnerabilities have been discovered in the Ruby interpreter
40 and its standard libraries. Drew Yao of Apple Product Security
41 discovered the following flaws:
42
43 * Arbitrary code execution or Denial of Service (memory corruption)
44 in the rb_str_buf_append() function (CVE-2008-2662).
45
46 * Arbitrary code execution or Denial of Service (memory corruption)
47 in the rb_ary_stor() function (CVE-2008-2663).
48
49 * Memory corruption via alloca in the rb_str_format() function
50 (CVE-2008-2664).
51
52 * Memory corruption ("REALLOC_N") in the rb_ary_splice() and
53 rb_ary_replace() functions (CVE-2008-2725).
54
55 * Memory corruption ("beg + rlen") in the rb_ary_splice() and
56 rb_ary_replace() functions (CVE-2008-2726).
57
58 Furthermore, several other vulnerabilities have been reported:
59
60 * Tanaka Akira reported an issue with resolv.rb that enables
61 attackers to spoof DNS responses (CVE-2008-1447).
62
63 * Akira Tagoh of RedHat discovered a Denial of Service (crash) issue
64 in the rb_ary_fill() function in array.c (CVE-2008-2376).
65
66 * Several safe level bypass vulnerabilities were discovered and
67 reported by Keita Yamaguchi (CVE-2008-3655).
68
69 * Christian Neukirchen is credited for discovering a Denial of
70 Service (CPU consumption) attack in the WEBRick HTTP server
71 (CVE-2008-3656).
72
73 * A fault in the dl module allowed the circumvention of taintness
74 checks which could possibly lead to insecure code execution was
75 reported by "sheepman" (CVE-2008-3657).
76
77 * Tanaka Akira again found a DNS spoofing vulnerability caused by the
78 resolv.rb implementation using poor randomness (CVE-2008-3905).
79
80 * Luka Treiber and Mitja Kolsek (ACROS Security) disclosed a Denial
81 of Service (CPU consumption) vulnerability in the REXML module when
82 dealing with recursive entity expansion (CVE-2008-3790).
83
84 Impact
85 ======
86
87 These vulnerabilities allow remote attackers to execute arbitrary code,
88 spoof DNS responses, bypass Ruby's built-in security and taintness
89 checks, and cause a Denial of Service via crash or CPU exhaustion.
90
91 Workaround
92 ==========
93
94 There is no known workaround at this time.
95
96 Resolution
97 ==========
98
99 All Ruby users should upgrade to the latest version:
100
101 # emerge --sync
102 # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.6_p287-r1"
103
104 References
105 ==========
106
107 [ 1 ] CVE-2008-1447
108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
109 [ 2 ] CVE-2008-2376
110 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2376
111 [ 3 ] CVE-2008-2662
112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662
113 [ 4 ] CVE-2008-2663
114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663
115 [ 5 ] CVE-2008-2664
116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664
117 [ 6 ] CVE-2008-2725
118 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725
119 [ 7 ] CVE-2008-2726
120 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726
121 [ 8 ] CVE-2008-3655
122 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3655
123 [ 9 ] CVE-2008-3656
124 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3656
125 [ 10 ] CVE-2008-3657
126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3657
127 [ 11 ] CVE-2008-3790
128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790
129 [ 12 ] CVE-2008-3905
130 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3905
131
132 Availability
133 ============
134
135 This GLSA and any updates to it are available for viewing at
136 the Gentoo Security Website:
137
138 http://security.gentoo.org/glsa/glsa-200812-17.xml
139
140 Concerns?
141 =========
142
143 Security is a primary focus of Gentoo Linux and ensuring the
144 confidentiality and security of our users machines is of utmost
145 importance to us. Any security concerns should be addressed to
146 security@g.o or alternatively, you may file a bug at
147 http://bugs.gentoo.org.
148
149 License
150 =======
151
152 Copyright 2008 Gentoo Foundation, Inc; referenced text
153 belongs to its owner(s).
154
155 The contents of this document are licensed under the
156 Creative Commons - Attribution / Share Alike license.
157
158 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups