[gentoo-announce] [ GLSA 200812-17 ] Ruby: Multiple vulnerabilities

[news 28]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 200812-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

http://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Severity: Normal

Title: Ruby: Multiple vulnerabilities

Date: December 16, 2008

Bugs: #225465, #236060

ID: 200812-17

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Synopsis

========

 

Multiple vulnerabilities have been discovered in Ruby that allow for

attacks including arbitrary code execution and Denial of Service.

 

Background

==========

 

Ruby is an interpreted object-oriented programming language. The

elaborate standard library includes an HTTP server ("WEBRick") and a

class for XML parsing ("REXML").

 

Affected packages

=================

 

-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 dev-lang/ruby < 1.8.6_p287-r1 >= 1.8.6_p287-r1

 

Description

===========

 

Multiple vulnerabilities have been discovered in the Ruby interpreter

and its standard libraries. Drew Yao of Apple Product Security

discovered the following flaws:

 

* Arbitrary code execution or Denial of Service (memory corruption)

in the rb_str_buf_append() function (CVE-2008-2662).

 

* Arbitrary code execution or Denial of Service (memory corruption)

in the rb_ary_stor() function (CVE-2008-2663).

 

* Memory corruption via alloca in the rb_str_format() function

(CVE-2008-2664).

 

* Memory corruption ("REALLOC_N") in the rb_ary_splice() and

rb_ary_replace() functions (CVE-2008-2725).

 

* Memory corruption ("beg + rlen") in the rb_ary_splice() and

rb_ary_replace() functions (CVE-2008-2726).

 

Furthermore, several other vulnerabilities have been reported:

 

* Tanaka Akira reported an issue with resolv.rb that enables

attackers to spoof DNS responses (CVE-2008-1447).

 

* Akira Tagoh of RedHat discovered a Denial of Service (crash) issue

in the rb_ary_fill() function in array.c (CVE-2008-2376).

 

* Several safe level bypass vulnerabilities were discovered and

reported by Keita Yamaguchi (CVE-2008-3655).

 

* Christian Neukirchen is credited for discovering a Denial of

Service (CPU consumption) attack in the WEBRick HTTP server

(CVE-2008-3656).

 

* A fault in the dl module allowed the circumvention of taintness

checks which could possibly lead to insecure code execution was

reported by "sheepman" (CVE-2008-3657).

 

* Tanaka Akira again found a DNS spoofing vulnerability caused by the

resolv.rb implementation using poor randomness (CVE-2008-3905).

 

* Luka Treiber and Mitja Kolsek (ACROS Security) disclosed a Denial

of Service (CPU consumption) vulnerability in the REXML module when

dealing with recursive entity expansion (CVE-2008-3790).

 

Impact

======

 

These vulnerabilities allow remote attackers to execute arbitrary code,

spoof DNS responses, bypass Ruby's built-in security and taintness

checks, and cause a Denial of Service via crash or CPU exhaustion.

 

Workaround

==========

 

There is no known workaround at this time.

 

Resolution

==========

 

All Ruby users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.6_p287-r1"

 

References

==========

 

[ 1 ] CVE-2008-1447

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447

[ 2 ] CVE-2008-2376

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2376

[ 3 ] CVE-2008-2662

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662

[ 4 ] CVE-2008-2663

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663

[ 5 ] CVE-2008-2664

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664

[ 6 ] CVE-2008-2725

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725

[ 7 ] CVE-2008-2726

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726

[ 8 ] CVE-2008-3655

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3655

[ 9 ] CVE-2008-3656

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3656

[ 10 ] CVE-2008-3657

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3657

[ 11 ] CVE-2008-3790

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790

[ 12 ] CVE-2008-3905

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3905

 

Availability

============

 

This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:

 

http://security.gentoo.org/glsa/glsa-200812-17.xml

 

Concerns?

=========

 

Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users machines is of utmost

importance to us. Any security concerns should be addressed to

security ( -at -) gentoo.org or alternatively, you may file a bug at

http://bugs.gentoo.org.

 

License

=======

 

Copyright 2008 Gentoo Foundation, Inc; referenced text

belongs to its owner(s).

 

The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.

 

http://creativecommons.org/licenses/by-sa/2.5