irb, ruby security update

CentOS Errata and Security Advisory CESA-2008:0562

Ruby is an interpreted scripting language for quick and easy
object-oriented programming.

Multiple integer overflows leading to a heap overflow were discovered in
the array- and string-handling code used by Ruby. An attacker could use
these flaws to crash a Ruby application or, possibly, execute arbitrary
code with the privileges of the Ruby application using untrusted inputs in
array or string operations. (CVE-2008-2376, CVE-2008-2663, CVE-2008-2725,
CVE-2008-2726)

It was discovered that Ruby used the alloca() memory allocation function in
the format (%) method of the String class without properly restricting
maximum string length. An attacker could use this flaw to crash a Ruby
application or, possibly, execute arbitrary code with the privileges of the
Ruby application using long, untrusted strings as format strings.
(CVE-2008-2664)

Red Hat would like to thank Drew Yao of the Apple Product Security team for
reporting these issues.

A flaw was discovered in the way Ruby’s CGI module handles certain HTTP
requests. A remote attacker could send a specially crafted request and
cause the Ruby CGI script to enter an infinite loop, possibly causing a
denial of service. (CVE-2006-6303)

Users of Ruby should upgrade to these updated packages, which contain a
backported patches to resolve these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2008-July/077272.html
https://lists.centos.org/pipermail/centos-announce/2008-July/077275.html
https://lists.centos.org/pipermail/centos-announce/2008-July/077286.html
https://lists.centos.org/pipermail/centos-announce/2008-July/077287.html

Affected packages:
irb
ruby
ruby-devel
ruby-docs
ruby-libs
ruby-mode
ruby-tcltk

Upstream details at:
https://access.redhat.com/errata/RHSA-2008:0562