ID CVE-2008-2376
Summary Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows.
References
Vulnerable Configurations
  • cpe:2.3:o:redhat:fedora_8:1.8.6.230
    cpe:2.3:o:redhat:fedora_8:1.8.6.230
  • Ruby-lang Ruby 1.8.6.230
    cpe:2.3:a:ruby-lang:ruby:1.8.6.230
CVSS
Base: 7.5 (as of 09-07-2008 - 14:49)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-6033.NASL
    description - Tue Jul 1 2008 Akira TAGOH - 1.8.6.230-4 - Backported from upstream SVN to fix a segfault issue with Array#fill. - Mon Jun 30 2008 Akira TAGOH - 1.8.6.230-3 - Backported from upstream SVN to fix a segfault issue. (#452825) - Backported from upstream SVN to fix an integer overflow in rb_ary_fill. - Wed Jun 25 2008 Akira TAGOH - 1.8.6.230-2 - Fix a segfault issue. (#452809) - Tue Jun 24 2008 Akira TAGOH - 1.8.6.230-1 - New upstream release. - Security fixes. (#452294). - CVE-2008-1891: WEBrick CGI source disclosure. - CVE-2008-2662: Integer overflow in rb_str_buf_append(). - CVE-2008-2663: Integer overflow in rb_ary_store(). - CVE-2008-2664: Unsafe use of alloca in rb_str_format(). - CVE-2008-2725: Integer overflow in rb_ary_splice(). - CVE-2008-2726: Integer overflow in rb_ary_splice(). - ruby-1.8.6.111-CVE-2007-5162.patch: removed. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 33408
    published 2008-07-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33408
    title Fedora 9 : ruby-1.8.6.230-4.fc9 (2008-6033)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-6094.NASL
    description - Tue Jul 1 2008 Akira TAGOH - 1.8.6.230-4 - Backported from upstream SVN to fix a segfault issue with Array#fill. - Mon Jun 30 2008 Akira TAGOH - 1.8.6.230-3 - Backported from upstream SVN to fix a segfault issue. (#452825) - Backported from upstream SVN to fix an integer overflow in rb_ary_fill. - Wed Jun 25 2008 Akira TAGOH - 1.8.6.230-2 - Fix a segfault issue. (#452798) - Tue Jun 24 2008 Akira TAGOH - 1.8.6.230-1 - New upstream release. - Security fixes. (#452293) - CVE-2008-1891: WEBrick CGI source disclosure. - CVE-2008-2662: Integer overflow in rb_str_buf_append(). - CVE-2008-2663: Integer overflow in rb_ary_store(). - CVE-2008-2664: Unsafe use of alloca in rb_str_format(). - CVE-2008-2725: Integer overflow in rb_ary_splice(). - CVE-2008-2726: Integer overflow in rb_ary_splice(). - ruby-1.8.6.111-CVE-2007-5162.patch: removed. - Tue Mar 4 2008 Akira TAGOH - 1.8.6.114-1 - Security fix for CVE-2008-1145. - Improve a spec file. (#226381) - Correct License tag. - Fix a timestamp issue. - Own a arch-specific directory. - Tue Feb 19 2008 Fedora Release Engineering - 1.8.6.111-9 - Autorebuild for GCC 4.3 - Tue Feb 19 2008 Akira TAGOH - 1.8.6.111-8 - Rebuild for gcc-4.3. - Tue Jan 15 2008 Akira TAGOH - 1.8.6.111-7 - Revert the change of libruby-static.a. (#428384) - Fri Jan 11 2008 Akira TAGOH - 1.8.6.111-6 - Fix an unnecessary replacement for shebang. (#426835) - Fri Jan 4 2008 Akira TAGOH - 1.8.6.111-5 - Rebuild. - Fri Dec 28 2007 Akira TAGOH - 1.8.6.111-4 - Clean up again. - Fri Dec 21 2007 Akira TAGOH - 1.8.6.111-3 - Clean up the spec file. - Remove ruby-man-1.4.6 stuff. this is entirely the out-dated document. this could be replaced by ri. - Disable the static library building. - Tue Dec 4 2007 Release Engineering - 1.8.6.111-2 - Rebuild for openssl bump - Wed Oct 31 2007 Akira TAGOH - Fix the dead link. - Mon Oct 29 2007 Akira TAGOH - 1.8.6.111-1 - New upstream release. - ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes at trunk to enable the fix without any modifications on the users' scripts. Note that Net::HTTP#enable_post_connection_check isn't available anymore. If you want to disable this post-check, you should give OpenSSL::SSL::VERIFY_NONE to Net::HTTP#verify_mode= instead of. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 33413
    published 2008-07-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33413
    title Fedora 8 : ruby-1.8.6.230-4.fc8 (2008-6094)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200812-17.NASL
    description The remote host is affected by the vulnerability described in GLSA-200812-17 (Ruby: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in the Ruby interpreter and its standard libraries. Drew Yao of Apple Product Security discovered the following flaws: Arbitrary code execution or Denial of Service (memory corruption) in the rb_str_buf_append() function (CVE-2008-2662). Arbitrary code execution or Denial of Service (memory corruption) in the rb_ary_stor() function (CVE-2008-2663). Memory corruption via alloca in the rb_str_format() function (CVE-2008-2664). Memory corruption ('REALLOC_N') in the rb_ary_splice() and rb_ary_replace() functions (CVE-2008-2725). Memory corruption ('beg + rlen') in the rb_ary_splice() and rb_ary_replace() functions (CVE-2008-2726). Furthermore, several other vulnerabilities have been reported: Tanaka Akira reported an issue with resolv.rb that enables attackers to spoof DNS responses (CVE-2008-1447). Akira Tagoh of RedHat discovered a Denial of Service (crash) issue in the rb_ary_fill() function in array.c (CVE-2008-2376). Several safe level bypass vulnerabilities were discovered and reported by Keita Yamaguchi (CVE-2008-3655). Christian Neukirchen is credited for discovering a Denial of Service (CPU consumption) attack in the WEBRick HTTP server (CVE-2008-3656). A fault in the dl module allowed the circumvention of taintness checks which could possibly lead to insecure code execution was reported by 'sheepman' (CVE-2008-3657). Tanaka Akira again found a DNS spoofing vulnerability caused by the resolv.rb implementation using poor randomness (CVE-2008-3905). Luka Treiber and Mitja Kolsek (ACROS Security) disclosed a Denial of Service (CPU consumption) vulnerability in the REXML module when dealing with recursive entity expansion (CVE-2008-3790). Impact : These vulnerabilities allow remote attackers to execute arbitrary code, spoof DNS responses, bypass Ruby's built-in security and taintness checks, and cause a Denial of Service via crash or CPU exhaustion. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 35188
    published 2008-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35188
    title GLSA-200812-17 : Ruby: Multiple vulnerabilities
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2008-006.NASL
    description The remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-006 applied. This update contains security fixes for a number of programs.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 34210
    published 2008-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34210
    title Mac OS X Multiple Vulnerabilities (Security Update 2008-006)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_5_5.NASL
    description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.5. Mac OS X 10.5.5 contains security fixes for a number of programs.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 34211
    published 2008-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34211
    title Mac OS X 10.5.x < 10.5.5 Multiple Vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2008-0562.NASL
    description From Red Hat Security Advisory 2008:0562 : Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Ruby is an interpreted scripting language for quick and easy object-oriented programming. Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting these issues. A flaw was discovered in the way Ruby's CGI module handles certain HTTP requests. A remote attacker could send a specially crafted request and cause the Ruby CGI script to enter an infinite loop, possibly causing a denial of service. (CVE-2006-6303) Users of Ruby should upgrade to these updated packages, which contain a backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 67717
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67717
    title Oracle Linux 3 : ruby (ELSA-2008-0562)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0562.NASL
    description Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Ruby is an interpreted scripting language for quick and easy object-oriented programming. Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting these issues. A flaw was discovered in the way Ruby's CGI module handles certain HTTP requests. A remote attacker could send a specially crafted request and cause the Ruby CGI script to enter an infinite loop, possibly causing a denial of service. (CVE-2006-6303) Users of Ruby should upgrade to these updated packages, which contain a backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 33496
    published 2008-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33496
    title RHEL 2.1 / 3 : ruby (RHSA-2008:0562)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080714_RUBY_ON_SL3_X.NASL
    description Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664) A flaw was discovered in the way Ruby's CGI module handles certain HTTP requests. A remote attacker could send a specially crafted request and cause the Ruby CGI script to enter an infinite loop, possibly causing a denial of service. (CVE-2006-6303)
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60441
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60441
    title Scientific Linux Security Update : ruby on SL3.x i386/x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2008-0562.NASL
    description Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Ruby is an interpreted scripting language for quick and easy object-oriented programming. Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting these issues. A flaw was discovered in the way Ruby's CGI module handles certain HTTP requests. A remote attacker could send a specially crafted request and cause the Ruby CGI script to enter an infinite loop, possibly causing a denial of service. (CVE-2006-6303) Users of Ruby should upgrade to these updated packages, which contain a backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 33489
    published 2008-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33489
    title CentOS 3 : ruby (CESA-2008:0562)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0561.NASL
    description Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Ruby is an interpreted scripting language for quick and easy object-oriented programming. Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting these issues. Users of Ruby should upgrade to these updated packages, which contain a backported patch to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 33495
    published 2008-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33495
    title RHEL 4 / 5 : ruby (RHSA-2008:0561)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1618.NASL
    description Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-2662 Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. - CVE-2008-2663 Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. - CVE-2008-2664 Drew Yao discovered that a programming error in the string processing code may lead to denial of service and potentially the execution of arbitrary code. - CVE-2008-2725 Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. - CVE-2008-2726 Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. - CVE-2008-2376 It was discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 33738
    published 2008-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33738
    title Debian DSA-1618-1 : ruby1.9 - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1612.NASL
    description Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-2662 Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. - CVE-2008-2663 Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. - CVE-2008-2664 Drew Yao discovered that a programming error in the string processing code may lead to denial of service and potentially the execution of arbitrary code. - CVE-2008-2725 Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. - CVE-2008-2726 Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. - CVE-2008-2376 It was discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 33551
    published 2008-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33551
    title Debian DSA-1612-1 : ruby1.8 - several vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-140.NASL
    description Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby. Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. (CVE-2008-1891) Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption. (CVE-2008-2662) Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors. (CVE-2008-2663) The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca. (CVE-2008-2664) Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the REALLOC_N variant. (CVE-2008-2725) Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption, aka the beg + rlen issue. (CVE-2008-2726) Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. (CVE-2008-2376) The updated packages have been patched to fix these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 36689
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36689
    title Mandriva Linux Security Advisory : ruby (MDVSA-2008:140)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2008-0561.NASL
    description From Red Hat Security Advisory 2008:0561 : Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Ruby is an interpreted scripting language for quick and easy object-oriented programming. Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting these issues. Users of Ruby should upgrade to these updated packages, which contain a backported patch to resolve these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67716
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67716
    title Oracle Linux 4 / 5 : ruby (ELSA-2008-0561)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2008-0561.NASL
    description Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Ruby is an interpreted scripting language for quick and easy object-oriented programming. Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting these issues. Users of Ruby should upgrade to these updated packages, which contain a backported patch to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43694
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43694
    title CentOS 4 / 5 : ruby (CESA-2008:0561)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-141.NASL
    description Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby. Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash () path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) ..%5c (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. (CVE-2008-1145) Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. (CVE-2008-1891) Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption. (CVE-2008-2662) Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors. (CVE-2008-2663) The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca. (CVE-2008-2664) Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the REALLOC_N variant. (CVE-2008-2725) Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption, aka the beg + rlen issue. (CVE-2008-2726) Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. (CVE-2008-2376) The updated packages have been patched to fix these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 37401
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37401
    title Mandriva Linux Security Advisory : ruby (MDVSA-2008:141)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080714_RUBY_ON_SL4_X.NASL
    description Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664)
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60442
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60442
    title Scientific Linux Security Update : ruby on SL4.x, SL5.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-651-1.NASL
    description Akira Tagoh discovered a vulnerability in Ruby which lead to an integer overflow. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2376) Laurent Gaffie discovered that Ruby did not properly check for memory allocation failures. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service. (CVE-2008-3443) Keita Yamaguchi discovered several safe level vulnerabilities in Ruby. An attacker could use this to bypass intended access restrictions. (CVE-2008-3655) Keita Yamaguchi discovered that WEBrick in Ruby did not properly validate paths ending with '.'. A remote attacker could send a crafted HTTP request and cause a denial of service. (CVE-2008-3656) Keita Yamaguchi discovered that the dl module in Ruby did not check the taintness of inputs. An attacker could exploit this vulnerability to bypass safe levels and execute dangerous functions. (CVE-2008-3657) Luka Treiber and Mitja Kolsek discovered that REXML in Ruby did not always use expansion limits when processing XML documents. If a user or automated system were tricked into open a crafted XML file, an attacker could cause a denial of service via CPU consumption. (CVE-2008-3790) Jan Lieskovsky discovered several flaws in the name resolver of Ruby. A remote attacker could exploit this to spoof DNS entries, which could lead to misdirected traffic. This is a different vulnerability from CVE-2008-1447. (CVE-2008-3905). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 37068
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37068
    title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : ruby1.8 vulnerabilities (USN-651-1)
oval via4
accepted 2013-04-29T04:22:51.987-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows.
family unix
id oval:org.mitre.oval:def:9863
status accepted
submitted 2010-07-09T03:56:16-04:00
title Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows.
version 24
redhat via4
advisories
rhsa
id RHSA-2008:0561
rpms
  • irb-0:1.8.1-7.el4_6.1
  • ruby-0:1.8.1-7.el4_6.1
  • ruby-devel-0:1.8.1-7.el4_6.1
  • ruby-docs-0:1.8.1-7.el4_6.1
  • ruby-libs-0:1.8.1-7.el4_6.1
  • ruby-mode-0:1.8.1-7.el4_6.1
  • ruby-tcltk-0:1.8.1-7.el4_6.1
  • ruby-0:1.8.5-5.el5_2.3
  • ruby-devel-0:1.8.5-5.el5_2.3
  • ruby-docs-0:1.8.5-5.el5_2.3
  • ruby-irb-0:1.8.5-5.el5_2.3
  • ruby-libs-0:1.8.5-5.el5_2.3
  • ruby-mode-0:1.8.5-5.el5_2.3
  • ruby-rdoc-0:1.8.5-5.el5_2.3
  • ruby-ri-0:1.8.5-5.el5_2.3
  • ruby-tcltk-0:1.8.5-5.el5_2.3
  • irb-0:1.6.8-12.el3
  • ruby-0:1.6.8-12.el3
  • ruby-devel-0:1.6.8-12.el3
  • ruby-docs-0:1.6.8-12.el3
  • ruby-libs-0:1.6.8-12.el3
  • ruby-mode-0:1.6.8-12.el3
  • ruby-tcltk-0:1.6.8-12.el3
refmap via4
apple APPLE-SA-2008-09-15
bugtraq 20080708 rPSA-2008-0218-1 ruby
cert TA08-260A
confirm
debian
  • DSA-1612
  • DSA-1618
fedora
  • FEDORA-2008-6033
  • FEDORA-2008-6094
gentoo GLSA-200812-17
mandriva
  • MDVSA-2008:140
  • MDVSA-2008:141
  • MDVSA-2008:142
mlist [oss-security] 20080702 More ruby integer overflows (rb_ary_fill / Array#fill)
secunia
  • 30927
  • 31006
  • 31062
  • 31090
  • 31181
  • 31256
  • 32219
  • 33178
ubuntu USN-651-1
vupen ADV-2008-2584
Last major update 07-03-2011 - 22:09
Published 08-07-2008 - 20:41
Last modified 11-10-2018 - 16:41
Back to Top