[CVE-2008-2376] Integer overflow in the rb_ary_fill function in array.c in Ruby

Bug #246818 reported by Till Ulen
256
Affects Status Importance Assigned to Milestone
ruby1.8 (Ubuntu)
Undecided
Gabrielix
Dapper
Undecided
Jamie Strandboge
Feisty
Undecided
Jamie Strandboge
Gutsy
Undecided
Jamie Strandboge
Hardy
Undecided
Jamie Strandboge

Bug Description

Binary package hint: ruby1.8

CVE-2008-2376 description:

"Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2376

Revision history for this message
Gabrielix (gabrielix) wrote :

Multiples vulnerabilities fixed in 1.8.7.72

Changed in ruby1.8:
assignee: nobody → gabrielix
status: New → Fix Released
Revision history for this message
Gabrielix (gabrielix) wrote :
Gabrielix (gabrielix)
Changed in ruby1.8:
status: Fix Released → In Progress
Changed in ruby1.8:
status: In Progress → Fix Released
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.6.111-2ubuntu1.2

---------------
ruby1.8 (1.8.6.111-2ubuntu1.2) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/102_CVE-2008-3790.dpatch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/103_CVE-2008-2376.dpatch: adjust array.c to properly
      check argument length
    - CVE-2008-2376
  * SECURITY UPDATE: denial of service via multiple long requests to a Ruby
    socket
    - debian/patches/104_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
      managed memory and check for allocation failures
    - CVE-2008-3443
  * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
    - debian/patches/105_CVE-2008-3656.dpatch: update webrick/httputils.rb to
      properly check paths ending with '.'
    - CVE-2008-3656
  * SECURITY UPDATE: predictable transaction id and source port for DNS
    requests (separate vulnerability from CVE-2008-1447)
    - debian/patches/106_CVE-2008-3905.dpatch: adjust resolv.rb to use
      SecureRandom for transaction id and source port
    - CVE-2008-3905
  * SECURITY UPDATE: safe level bypass via DL.dlopen
    - debian/patches/107_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
      rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
      propogate taint and check taintness of DLPtrData
    - CVE-2008-3657
  * SECURITY UPDATE: safe level bypass via multiple vectors
    - debian/patches/108_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
      and syslog.c, check for secure level 3 or higher in eval.c and make
      sure PROGRAM_NAME can't be modified
    - CVE-2008-3655

 -- Jamie Strandboge <email address hidden> Tue, 07 Oct 2008 13:34:00 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.6.36-1ubuntu3.3

---------------
ruby1.8 (1.8.6.36-1ubuntu3.3) gutsy-security; urgency=low

  * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/103_CVE-2008-3790.dpatch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/104_CVE-2008-2376.dpatch: adjust array.c to properly
      check argument length
    - CVE-2008-2376
  * SECURITY UPDATE: denial of service via multiple long requests to a Ruby
    socket
    - debian/patches/105_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
      managed memory and check for allocation failures
    - CVE-2008-3443
  * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
    - debian/patches/106_CVE-2008-3656.dpatch: update webrick/httputils.rb to
      properly check paths ending with '.'
    - CVE-2008-3656
  * SECURITY UPDATE: predictable transaction id and source port for DNS
    requests (separate vulnerability from CVE-2008-1447)
    - debian/patches/107_CVE-2008-3905.dpatch: adjust resolv.rb to use
      SecureRandom for transaction id and source port
    - CVE-2008-3905
  * SECURITY UPDATE: safe level bypass via DL.dlopen
    - debian/patches/108_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
      rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
      propogate taint and check taintness of DLPtrData
    - CVE-2008-3657
  * SECURITY UPDATE: safe level bypass via multiple vectors
    - debian/patches/109_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
      and syslog.c, check for secure level 3 or higher in eval.c and make
      sure PROGRAM_NAME can't be modified
    - CVE-2008-3655

 -- Jamie Strandboge <email address hidden> Thu, 09 Oct 2008 08:47:35 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.5-4ubuntu2.3

---------------
ruby1.8 (1.8.5-4ubuntu2.3) feisty-security; urgency=low

  * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/953_CVE-2008-3790.patch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/954_CVE-2008-2376.patch: adjust array.c to properly
      check argument length
    - CVE-2008-2376
  * SECURITY UPDATE: denial of service via multiple long requests to a Ruby
    socket
    - debian/patches/955_CVE-2008-3443.patch: adjust regex.c to not use ruby
      managed memory and check for allocation failures
    - CVE-2008-3443
  * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
    - debian/patches/956_CVE-2008-3656.patch: update webrick/httputils.rb to
      properly check paths ending with '.'
    - CVE-2008-3656
  * SECURITY UPDATE: predictable transaction id and source port for DNS
    requests (separate vulnerability from CVE-2008-1447)
    - debian/patches/957_CVE-2008-3905.patch: adjust resolv.rb to use
      SecureRandom for transaction id and source port
    - CVE-2008-3905
  * SECURITY UPDATE: safe level bypass via DL.dlopen
    - debian/patches/958_CVE-2008-3657.patch: adjust rb_str_to_ptr and
      rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
      propogate taint and check taintness of DLPtrData
    - CVE-2008-3657
  * SECURITY UPDATE: safe level bypass via multiple vectors
    - debian/patches/959_CVE-2008-3655.patch: use rb_secure(4) in variable.c
      and syslog.c, check for secure level 3 or higher in eval.c and make
      sure PROGRAM_NAME can't be modified
    - CVE-2008-3655

 -- Jamie Strandboge <email address hidden> Thu, 09 Oct 2008 09:28:03 -0500

Changed in ruby1.8:
status: In Progress → Fix Released
status: In Progress → Fix Released
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in ruby1.8:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers