Launchpad.net

CVE 2008-3655

Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which allows context-dependent attackers to bypass intended access restrictions via (1) untrace_var, (2) $PROGRAM_NAME, and (3) syslog at safe level 4, and (4) insecure methods at safe levels 1 through 3.

Related bugs and status

CVE-2008-3655 (Candidate) is related to these bugs:

Bug #246818: [CVE-2008-2376] Integer overflow in the rb_ary_fill function in array.c in Ruby

		In	Importance	Status
246818	[CVE-2008-2376] Integer overflow in the rb_ary_fill function in array.c in Ruby	ruby1.8 (Ubuntu)	Undecided	Fix Released
246818	[CVE-2008-2376] Integer overflow in the rb_ary_fill function in array.c in Ruby	ruby1.8 (Ubuntu Dapper)	Undecided	Fix Released
246818	[CVE-2008-2376] Integer overflow in the rb_ary_fill function in array.c in Ruby	ruby1.8 (Ubuntu Feisty)	Undecided	Fix Released
246818	[CVE-2008-2376] Integer overflow in the rb_ary_fill function in array.c in Ruby	ruby1.8 (Ubuntu Gutsy)	Undecided	Fix Released
246818	[CVE-2008-2376] Integer overflow in the rb_ary_fill function in array.c in Ruby	ruby1.8 (Ubuntu Hardy)	Undecided	Fix Released

Bug #257122: Multiple vulnerabilities in Ruby

		In	Importance	Status
257122	Multiple vulnerabilities in Ruby	ruby1.8 (Ubuntu)	Undecided	Fix Released
257122	Multiple vulnerabilities in Ruby	ruby1.9 (Ubuntu)	Undecided	Fix Released
257122	Multiple vulnerabilities in Ruby	ruby1.8 (Ubuntu Feisty)	Undecided	Fix Released
257122	Multiple vulnerabilities in Ruby	ruby1.9 (Ubuntu Feisty)	Undecided	Won't Fix
257122	Multiple vulnerabilities in Ruby	ruby1.8 (Ubuntu Gutsy)	Undecided	Fix Released
257122	Multiple vulnerabilities in Ruby	ruby1.9 (Ubuntu Gutsy)	Undecided	Won't Fix
257122	Multiple vulnerabilities in Ruby	ruby1.8 (Ubuntu Intrepid)	Undecided	Fix Released
257122	Multiple vulnerabilities in Ruby	ruby1.9 (Ubuntu Intrepid)	Undecided	Fix Released
257122	Multiple vulnerabilities in Ruby	ruby1.8 (Ubuntu Dapper)	Undecided	Fix Released
257122	Multiple vulnerabilities in Ruby	ruby1.9 (Ubuntu Dapper)	Undecided	Won't Fix
257122	Multiple vulnerabilities in Ruby	ruby1.8 (Ubuntu Hardy)	Undecided	Fix Released
257122	Multiple vulnerabilities in Ruby	ruby1.9 (Ubuntu Hardy)	Undecided	Won't Fix

Bug #261459: DOS Vulnerability in Ruby REXML

		In	Importance	Status
261459	DOS Vulnerability in Ruby REXML	ruby1.8 (Ubuntu)	Undecided	Fix Released
261459	DOS Vulnerability in Ruby REXML	ruby1.8 (Ubuntu Dapper)	Undecided	Fix Released
261459	DOS Vulnerability in Ruby REXML	ruby1.8 (Ubuntu Gutsy)	Undecided	Fix Released
261459	DOS Vulnerability in Ruby REXML	ruby1.8 (Ubuntu Hardy)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://bugs.debian.org...
CONFIRM: http://www.ruby-lang.o...
CONFIRM: http://wiki.rpath.com/...
BID: 30644
SECTRACK: 1020656
SECUNIA: 31697
DEBIAN: DSA-1651
DEBIAN: DSA-1652
SECUNIA: 32255
SECUNIA: 32256
GENTOO: GLSA-200812-17
SECUNIA: 33178
SECUNIA: 31430
FEDORA: FEDORA-2008-8736
FEDORA: FEDORA-2008-8738
SECUNIA: 32165
SECUNIA: 32219
REDHAT: RHSA-2008:0895
REDHAT: RHSA-2008:0897
SECUNIA: 32371
SECUNIA: 32372
CONFIRM: http://support.avaya.c...
CONFIRM: http://support.apple.c...
APPLE: APPLE-SA-2009-05-12
CERT: TA09-133A
SECUNIA: 35074
VUPEN: ADV-2009-1297
VUPEN: ADV-2008-2334
XF: ruby-safelevel-securit...
OVAL: oval:org.mitre.oval:de...
UBUNTU: USN-651-1
BUGTRAQ: 20080831 rPSA-2008-026...