Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.

Bug #241657 reported by Fabio FZero on 2008-06-20
276
Affects Status Importance Assigned to Milestone
ruby1.8 (Debian)
Fix Released
Unknown
ruby1.8 (Ubuntu)
Undecided
Unassigned
Dapper
High
Jamie Strandboge
Feisty
High
Jamie Strandboge
Gutsy
High
Jamie Strandboge
Hardy
High
Jamie Strandboge
Intrepid
Undecided
Unassigned
ruby1.9 (Debian)
Fix Released
Unknown
ruby1.9 (Ubuntu)
High
Jamie Strandboge
Dapper
High
Unassigned
Feisty
High
Unassigned
Gutsy
High
Unassigned
Hardy
High
Unassigned
Intrepid
High
Jamie Strandboge

Bug Description

Binary package hint: ruby1.8

*** Source: http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ ***

Present on Ubuntu Gutsy Gibbon 7.10 (desktop and server)

Impact

With the following vulnerabilities, an attacker can lead to denial of service condition or execute arbitrary code.

    * CVE-2008-2662
    * CVE-2008-2663
    * CVE-2008-2725
    * CVE-2008-2726
    * CVE-2008-2727
    * CVE-2008-2728
    * CVE-2008-2664

Vulnerable versions

1.8 series

        * 1.8.4 and all prior versions
        * 1.8.5-p230 and all prior versions
        * 1.8.6-p229 and all prior versions
        * 1.8.7-p21 and all prior versions

1.9 series

        * 1.9.0-1 and all prior versions

Solution

1.8 series
    Please upgrade to 1.8.5-p231, or 1.8.6-p230, or 1.8.7-p22.

        * <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.tar.gz> (md5sum: e900cf225d55414bffe878f00a85807c)
        * <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.tar.gz> (md5sum: 5e8247e39be2dc3c1a755579c340857f)
        * <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.tar.gz> (md5sum: fc3ede83a98f48d8cb6de2145f680ef2)

1.9 series
    Please upgrade to 1.9.0-2.

        * <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.tar.gz> (md5sum: 2a848b81ed1d6393b88eec8aa6173b75)

These versions also fix the vulnerability of WEBrick (CVE-2008-1891).

William Grant (wgrant) wrote :

ruby1.8 is fixed in Intrepid due to a Debian sync.

Changed in ruby1.8:
status: New → Fix Released
importance: Undecided → High
status: New → Triaged
importance: Undecided → High
status: New → Triaged
importance: Undecided → High
status: New → Triaged
importance: Undecided → High
status: New → Triaged
William Grant (wgrant) on 2008-06-23
Changed in ruby1.9:
importance: Undecided → High
status: New → Triaged
importance: Undecided → High
status: New → Triaged
importance: Undecided → High
status: New → Triaged
importance: Undecided → High
status: New → Triaged
Changed in ruby1.8:
status: Unknown → Fix Released
Changed in ruby1.9:
status: Unknown → Fix Released
mschenck (mschenck) wrote :

I'm interested in a patch/update for Dapper LTS

Neil Wilson (neil-aldur) wrote :

Note that the fix released causes segmentation faults in Rails applications.

The p231 and p230 corrections are faulty. See comments in this thread

http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities

There is a suggested fix there, however we really need a solution from ruby-core via Debian.

Changed in ruby1.8:
assignee: nobody → jdstrand
assignee: nobody → jdstrand
assignee: nobody → jdstrand
assignee: nobody → jdstrand
Changed in ruby1.9:
assignee: nobody → jdstrand
assignee: nobody → jdstrand
assignee: nobody → jdstrand
assignee: nobody → jdstrand
Changed in ruby1.8:
status: Fix Released → New
Changed in ruby1.9:
assignee: jdstrand → nobody
assignee: jdstrand → nobody
assignee: jdstrand → nobody
assignee: jdstrand → nobody
assignee: nobody → jdstrand
importance: Undecided → High
status: New → In Progress
Changed in ruby1.8:
status: Triaged → In Progress
status: Triaged → In Progress
status: Triaged → In Progress
status: Triaged → In Progress
Jamie Strandboge (jdstrand) wrote :

Removed CVE-2008-2727 and CVE-2008-2728 as they are for ruby1.6.

Changed in ruby1.8:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Intrepid not merged yet because there is a FTBFS (hang during 'make test')

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.6.111-2ubuntu1.1

---------------
ruby1.8 (1.8.6.111-2ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service or arbitrary code execution via
    integer overflows and memory corruption
  * debian/patches/101_CVE-2008-2662+2663+2664+2725+2726.dpatch update array.c
    to properly validate the size of an array. Update string.c and sprintf.c
    for proper bounds checking
  * References:
    CVE-2008-2662
    CVE-2008-2663
    CVE-2008-2664
    CVE-2008-2725
    CVE-2008-2726
    LP: #241657

 -- Jamie Strandboge <email address hidden> Wed, 25 Jun 2008 15:50:50 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.6.36-1ubuntu3.2

---------------
ruby1.8 (1.8.6.36-1ubuntu3.2) gutsy-security; urgency=low

  * SECURITY UPDATE: denial of service or arbitrary code execution via
    integer overflows and memory corruption
  * debian/patches/102_CVE-2008-2662+2663+2664+2725+2726.dpatch: update
    array.c to properly validate the size of an array. Update string.c and
    sprintf.c for proper bounds checking
  * References:
    CVE-2008-2662
    CVE-2008-2663
    CVE-2008-2664
    CVE-2008-2725
    CVE-2008-2726
    LP: #241657

 -- Jamie Strandboge <email address hidden> Wed, 25 Jun 2008 15:31:40 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.5-4ubuntu2.2

---------------
ruby1.8 (1.8.5-4ubuntu2.2) feisty-security; urgency=low

  * SECURITY UPDATE: denial of service or arbitrary code execution via
    integer overflows and memory corruption
  * debian/patches/952_CVE-2008-2662+2663+2664+2725+2726.patch: update array.c
    to properly validate the size of an array. Update string.c and sprintf.c
    for proper bounds checking
  * References:
    CVE-2008-2662
    CVE-2008-2663
    CVE-2008-2664
    CVE-2008-2725
    CVE-2008-2726
    LP: #241657

 -- Jamie Strandboge <email address hidden> Wed, 25 Jun 2008 15:24:05 -0400

Changed in ruby1.8:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :
Changed in ruby1.8:
status: Fix Committed → Fix Released
Changed in ruby1.9:
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Fixed in ruby1.9 1.9.0.2-1ubuntu1

Changed in ruby1.9:
status: Fix Committed → Fix Released
Changed in ruby1.8:
status: New → Fix Released
toddq (toddq) wrote :

from http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/

There is a DoS vulnerability in the REXML library used by Rails to parse incoming XML requests. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML. Most Rails applications will be vulnerable to this attack.
Impact

An attacker can cause a denial of service by causing REXML to parse a document containing recursively nested entities such as:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>

Vulnerable versions
1.8 series

    * 1.8.6-p287 and all prior versions
    * 1.8.7-p72 and all prior versions

1.9 series

    * all versions

Solution

Please download the following monkey patch to fix this problem.

    * <URL:http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb>

Then fix your application to load rexml-expansion-fix.rb before using REXML.

require "rexml-expansion-fix"
...
doc = REXML::Document.new(str)
...

If you have a Rails application, copy rexml-expansion-fix.rb into a directory on the load path (such as RAILS_ROOT/lib/), and put the following line into config/environment.rb.

require "rexml-expansion-fix"

If your application is Rails 2.1 or later, you can simply copy rexml-expansion-fix.rb to RAILS_ROOT/config/initializers and it will be required automatically.

By default, XML entity expansion limit is 10000. You can change it by changing REXML::Document.entity_expansion_limit. e.g.

REXML::Document.entity_expansion_limit = 1000

This fix will be made available as a gem and used by future versions of rails, but users should take corrective action immediately.
Credit

Credit to Luka Treiber and Mitja Kolsek of ACROS Security for disclosing the problem to Ruby and Rails Security Teams.

You can use Ruby 1.8.6 patch 111 in Ubuntu 8.10
See the article: http://railsgeek.com/2008/11/27/ubuntu-8-10-downgrade-ruby-1-8-7-to-1-8-6

Please could someone mark this as Won't Fix for Feisty?

Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in ruby1.9:
status: Triaged → Won't Fix
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in ruby1.9 (Ubuntu Gutsy):
status: Triaged → Won't Fix
Rolf Leggewie (r0lf) on 2011-10-03
Changed in ruby1.9 (Ubuntu Dapper):
status: Triaged → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in ruby1.9 (Ubuntu Hardy):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.