Ubuntu
ruby1.8 package

[CVE-2008-2376] Integer overflow in the rb_ary_fill function in array.c in Ruby

Bug #246818 reported by Till Ulen on 2008-07-09

256

	Status	Importance	Assigned to
ruby1.8 (Ubuntu)	Fix Released	Undecided	Gabrielix
Dapper	Fix Released	Undecided	Jamie Strandboge
Feisty	Fix Released	Undecided	Jamie Strandboge
Gutsy	Fix Released	Undecided	Jamie Strandboge
Hardy	Fix Released	Undecided	Jamie Strandboge

Bug Description

Binary package hint: ruby1.8

CVE-2008-2376 description:

"Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2376

Related branches

lp://staging/ubuntu/dapper-updates/ruby1.8

lp://staging/ubuntu/feisty-security/ruby1.8

lp://staging/ubuntu/hardy-updates/ruby1.8

lp://staging/ubuntu/gutsy-updates/ruby1.8

lp://staging/ubuntu/hardy-security/ruby1.8

lp://staging/ubuntu/gutsy-security/ruby1.8

CVE References

Revision history for this message

Gabrielix (gabrielix) wrote on 2008-08-23:

Multiples vulnerabilities fixed in 1.8.7.72

Changed in ruby1.8:
assignee:	nobody → gabrielix
status:	New → Fix Released

Revision history for this message

Gabrielix (gabrielix) wrote on 2008-08-23:

debdiff_1.8.7.22_to_1.8.7.72 Edit (997.9 KiB, text/plain)

Gabrielix (gabrielix) on 2008-08-24

Changed in ruby1.8:
status:	Fix Released → In Progress

Jamie Strandboge (jdstrand) on 2008-10-09

Changed in ruby1.8:
status:	In Progress → Fix Released
assignee:	nobody → jdstrand
status:	New → In Progress
assignee:	nobody → jdstrand
status:	New → In Progress
assignee:	nobody → jdstrand
status:	New → In Progress
assignee:	nobody → jdstrand
status:	New → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-10-10:

This bug was fixed in the package ruby1.8 - 1.8.6.111-2ubuntu1.2

---------------
ruby1.8 (1.8.6.111-2ubuntu1.2) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/102_CVE-2008-3790.dpatch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/103_CVE-2008-2376.dpatch: adjust array.c to properly
      check argument length
    - CVE-2008-2376
  * SECURITY UPDATE: denial of service via multiple long requests to a Ruby
    socket
    - debian/patches/104_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
      managed memory and check for allocation failures
    - CVE-2008-3443
  * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
    - debian/patches/105_CVE-2008-3656.dpatch: update webrick/httputils.rb to
      properly check paths ending with '.'
    - CVE-2008-3656
  * SECURITY UPDATE: predictable transaction id and source port for DNS
    requests (separate vulnerability from CVE-2008-1447)
    - debian/patches/106_CVE-2008-3905.dpatch: adjust resolv.rb to use
      SecureRandom for transaction id and source port
    - CVE-2008-3905
  * SECURITY UPDATE: safe level bypass via DL.dlopen
    - debian/patches/107_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
      rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
      propogate taint and check taintness of DLPtrData
    - CVE-2008-3657
  * SECURITY UPDATE: safe level bypass via multiple vectors
    - debian/patches/108_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
      and syslog.c, check for secure level 3 or higher in eval.c and make
      sure PROGRAM_NAME can't be modified
    - CVE-2008-3655

-- Jamie Strandboge <email address hidden> Tue, 07 Oct 2008 13:34:00 -0500

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-10-10:

This bug was fixed in the package ruby1.8 - 1.8.6.36-1ubuntu3.3

---------------
ruby1.8 (1.8.6.36-1ubuntu3.3) gutsy-security; urgency=low

  * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/103_CVE-2008-3790.dpatch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/104_CVE-2008-2376.dpatch: adjust array.c to properly
      check argument length
    - CVE-2008-2376
  * SECURITY UPDATE: denial of service via multiple long requests to a Ruby
    socket
    - debian/patches/105_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
      managed memory and check for allocation failures
    - CVE-2008-3443
  * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
    - debian/patches/106_CVE-2008-3656.dpatch: update webrick/httputils.rb to
      properly check paths ending with '.'
    - CVE-2008-3656
  * SECURITY UPDATE: predictable transaction id and source port for DNS
    requests (separate vulnerability from CVE-2008-1447)
    - debian/patches/107_CVE-2008-3905.dpatch: adjust resolv.rb to use
      SecureRandom for transaction id and source port
    - CVE-2008-3905
  * SECURITY UPDATE: safe level bypass via DL.dlopen
    - debian/patches/108_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
      rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
      propogate taint and check taintness of DLPtrData
    - CVE-2008-3657
  * SECURITY UPDATE: safe level bypass via multiple vectors
    - debian/patches/109_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
      and syslog.c, check for secure level 3 or higher in eval.c and make
      sure PROGRAM_NAME can't be modified
    - CVE-2008-3655

-- Jamie Strandboge <email address hidden> Thu, 09 Oct 2008 08:47:35 -0500

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-10-10:

This bug was fixed in the package ruby1.8 - 1.8.5-4ubuntu2.3

---------------
ruby1.8 (1.8.5-4ubuntu2.3) feisty-security; urgency=low

  * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/953_CVE-2008-3790.patch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/954_CVE-2008-2376.patch: adjust array.c to properly
      check argument length
    - CVE-2008-2376
  * SECURITY UPDATE: denial of service via multiple long requests to a Ruby
    socket
    - debian/patches/955_CVE-2008-3443.patch: adjust regex.c to not use ruby
      managed memory and check for allocation failures
    - CVE-2008-3443
  * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
    - debian/patches/956_CVE-2008-3656.patch: update webrick/httputils.rb to
      properly check paths ending with '.'
    - CVE-2008-3656
  * SECURITY UPDATE: predictable transaction id and source port for DNS
    requests (separate vulnerability from CVE-2008-1447)
    - debian/patches/957_CVE-2008-3905.patch: adjust resolv.rb to use
      SecureRandom for transaction id and source port
    - CVE-2008-3905
  * SECURITY UPDATE: safe level bypass via DL.dlopen
    - debian/patches/958_CVE-2008-3657.patch: adjust rb_str_to_ptr and
      rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
      propogate taint and check taintness of DLPtrData
    - CVE-2008-3657
  * SECURITY UPDATE: safe level bypass via multiple vectors
    - debian/patches/959_CVE-2008-3655.patch: use rb_secure(4) in variable.c
      and syslog.c, check for secure level 3 or higher in eval.c and make
      sure PROGRAM_NAME can't be modified
    - CVE-2008-3655