10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.021 Low
EPSS
Percentile
88.8%
CentOS Errata and Security Advisory CESA-2008:0561
Ruby is an interpreted scripting language for quick and easy
object-oriented programming.
Multiple integer overflows leading to a heap overflow were discovered in
the array- and string-handling code used by Ruby. An attacker could use
these flaws to crash a Ruby application or, possibly, execute arbitrary
code with the privileges of the Ruby application using untrusted inputs in
array or string operations. (CVE-2008-2376, CVE-2008-2662, CVE-2008-2663,
CVE-2008-2725, CVE-2008-2726)
It was discovered that Ruby used the alloca() memory allocation function in
the format (%) method of the String class without properly restricting
maximum string length. An attacker could use this flaw to crash a Ruby
application or, possibly, execute arbitrary code with the privileges of the
Ruby application using long, untrusted strings as format strings.
(CVE-2008-2664)
Red Hat would like to thank Drew Yao of the Apple Product Security team for
reporting these issues.
Users of Ruby should upgrade to these updated packages, which contain a
backported patch to resolve these issues.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2008-July/077273.html
https://lists.centos.org/pipermail/centos-announce/2008-July/077276.html
https://lists.centos.org/pipermail/centos-announce/2008-July/077277.html
https://lists.centos.org/pipermail/centos-announce/2008-July/077279.html
https://lists.centos.org/pipermail/centos-announce/2008-July/077283.html
https://lists.centos.org/pipermail/centos-announce/2008-July/077284.html
Affected packages:
irb
ruby
ruby-devel
ruby-docs
ruby-irb
ruby-libs
ruby-mode
ruby-rdoc
ruby-ri
ruby-tcltk
Upstream details at:
https://access.redhat.com/errata/RHSA-2008:0561
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 4 | ia64 | irb | <Β 1.8.1-7.el4_6.1 | irb-1.8.1-7.el4_6.1.ia64.rpm |
CentOS | 4 | ia64 | ruby | <Β 1.8.1-7.el4_6.1 | ruby-1.8.1-7.el4_6.1.ia64.rpm |
CentOS | 4 | ia64 | ruby-devel | <Β 1.8.1-7.el4_6.1 | ruby-devel-1.8.1-7.el4_6.1.ia64.rpm |
CentOS | 4 | ia64 | ruby-docs | <Β 1.8.1-7.el4_6.1 | ruby-docs-1.8.1-7.el4_6.1.ia64.rpm |
CentOS | 4 | ia64 | ruby-libs | <Β 1.8.1-7.el4_6.1 | ruby-libs-1.8.1-7.el4_6.1.ia64.rpm |
CentOS | 4 | ia64 | ruby-mode | <Β 1.8.1-7.el4_6.1 | ruby-mode-1.8.1-7.el4_6.1.ia64.rpm |
CentOS | 4 | ia64 | ruby-tcltk | <Β 1.8.1-7.el4_6.1 | ruby-tcltk-1.8.1-7.el4_6.1.ia64.rpm |
CentOS | 4 | s390 | irb | <Β 1.8.1-7.el4_6.1 | irb-1.8.1-7.el4_6.1.s390.rpm |
CentOS | 4 | s390 | ruby | <Β 1.8.1-7.el4_6.1 | ruby-1.8.1-7.el4_6.1.s390.rpm |
CentOS | 4 | s390 | ruby-devel | <Β 1.8.1-7.el4_6.1 | ruby-devel-1.8.1-7.el4_6.1.s390.rpm |