Ubuntu
ruby1.8 package

DOS Vulnerability in Ruby REXML

Bug #261459 reported by Neil Wilson
258
Affects Status Importance Assigned to Milestone
ruby1.8 (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
Undecided
Jamie Strandboge
Gutsy
Fix Released
Undecided
Jamie Strandboge
Hardy
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: libruby1.8

There is a new vulnerability in Ruby reported over the weekend.

http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/

There is a monkey patch fix available (http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb) but it really needs to go in the libraries.

1.8 series

    * 1.8.6-p287 and all prior versions
    * 1.8.7-p72 and all prior versions

1.9 series

    * all versions

Revision history for this message
Serge (serge-de-souza) wrote :

CVE-2008-3790

Revision history for this message
Brian Wang (dingting) wrote :

FYI, there's a proof of concept exploit here:

http://www.securityfocus.com/data/vulnerabilities/exploits/30802.rb

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Intrepid now has 1.8.7.72-1

Changed in ruby1.8:
status: New → Fix Released
assignee: nobody → jdstrand
status: New → Confirmed
assignee: nobody → jdstrand
status: New → Confirmed
assignee: nobody → jdstrand
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in ruby1.8:
status: Confirmed → In Progress
status: Confirmed → In Progress
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.6.111-2ubuntu1.2

---------------
ruby1.8 (1.8.6.111-2ubuntu1.2) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/102_CVE-2008-3790.dpatch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/103_CVE-2008-2376.dpatch: adjust array.c to properly
      check argument length
    - CVE-2008-2376
  * SECURITY UPDATE: denial of service via multiple long requests to a Ruby
    socket
    - debian/patches/104_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
      managed memory and check for allocation failures
    - CVE-2008-3443
  * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
    - debian/patches/105_CVE-2008-3656.dpatch: update webrick/httputils.rb to
      properly check paths ending with '.'
    - CVE-2008-3656
  * SECURITY UPDATE: predictable transaction id and source port for DNS
    requests (separate vulnerability from CVE-2008-1447)
    - debian/patches/106_CVE-2008-3905.dpatch: adjust resolv.rb to use
      SecureRandom for transaction id and source port
    - CVE-2008-3905
  * SECURITY UPDATE: safe level bypass via DL.dlopen
    - debian/patches/107_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
      rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
      propogate taint and check taintness of DLPtrData
    - CVE-2008-3657
  * SECURITY UPDATE: safe level bypass via multiple vectors
    - debian/patches/108_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
      and syslog.c, check for secure level 3 or higher in eval.c and make
      sure PROGRAM_NAME can't be modified
    - CVE-2008-3655

 -- Jamie Strandboge <email address hidden> Tue, 07 Oct 2008 13:34:00 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.6.36-1ubuntu3.3

---------------
ruby1.8 (1.8.6.36-1ubuntu3.3) gutsy-security; urgency=low

  * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/103_CVE-2008-3790.dpatch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/104_CVE-2008-2376.dpatch: adjust array.c to properly
      check argument length
    - CVE-2008-2376
  * SECURITY UPDATE: denial of service via multiple long requests to a Ruby
    socket
    - debian/patches/105_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
      managed memory and check for allocation failures
    - CVE-2008-3443
  * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
    - debian/patches/106_CVE-2008-3656.dpatch: update webrick/httputils.rb to
      properly check paths ending with '.'
    - CVE-2008-3656
  * SECURITY UPDATE: predictable transaction id and source port for DNS
    requests (separate vulnerability from CVE-2008-1447)
    - debian/patches/107_CVE-2008-3905.dpatch: adjust resolv.rb to use
      SecureRandom for transaction id and source port
    - CVE-2008-3905
  * SECURITY UPDATE: safe level bypass via DL.dlopen
    - debian/patches/108_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
      rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
      propogate taint and check taintness of DLPtrData
    - CVE-2008-3657
  * SECURITY UPDATE: safe level bypass via multiple vectors
    - debian/patches/109_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
      and syslog.c, check for secure level 3 or higher in eval.c and make
      sure PROGRAM_NAME can't be modified
    - CVE-2008-3655

 -- Jamie Strandboge <email address hidden> Thu, 09 Oct 2008 08:47:35 -0500

Changed in ruby1.8:
status: In Progress → Fix Released
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-651-1

Changed in ruby1.8:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.