(RHSA-2008:0561) Moderate: ruby security update

Ruby is an interpreted scripting language for quick and easy
object-oriented programming.

Multiple integer overflows leading to a heap overflow were discovered in
the array- and string-handling code used by Ruby. An attacker could use
these flaws to crash a Ruby application or, possibly, execute arbitrary
code with the privileges of the Ruby application using untrusted inputs in
array or string operations. (CVE-2008-2376, CVE-2008-2662, CVE-2008-2663,
CVE-2008-2725, CVE-2008-2726)

It was discovered that Ruby used the alloca() memory allocation function in
the format (%) method of the String class without properly restricting
maximum string length. An attacker could use this flaw to crash a Ruby
application or, possibly, execute arbitrary code with the privileges of the
Ruby application using long, untrusted strings as format strings.
(CVE-2008-2664)

Red Hat would like to thank Drew Yao of the Apple Product Security team for
reporting these issues.

Users of Ruby should upgrade to these updated packages, which contain a
backported patch to resolve these issues.