Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.

ruby1.8 is fixed in Intrepid due to a Debian sync.

I'm interested in a patch/update for Dapper LTS

Note that the fix released causes segmentation faults in Rails applications.

The p231 and p230 corrections are faulty. See comments in this thread

http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities

There is a suggested fix there, however we really need a solution from ruby-core via Debian.

Removed CVE-2008-2727 and CVE-2008-2728 as they are for ruby1.6.

Intrepid not merged yet because there is a FTBFS (hang during 'make test')

This bug was fixed in the package ruby1.8 - 1.8.6.111-2ubuntu1.1

---------------
ruby1.8 (1.8.6.111-2ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service or arbitrary code execution via
    integer overflows and memory corruption
  * debian/patches/101_CVE-2008-2662+2663+2664+2725+2726.dpatch update array.c
    to properly validate the size of an array. Update string.c and sprintf.c
    for proper bounds checking
  * References:
    CVE-2008-2662
    CVE-2008-2663
    CVE-2008-2664
    CVE-2008-2725
    CVE-2008-2726
    LP: #241657

 -- Jamie Strandboge <email address hidden> Wed, 25 Jun 2008 15:50:50 -0400

This bug was fixed in the package ruby1.8 - 1.8.6.36-1ubuntu3.2

---------------
ruby1.8 (1.8.6.36-1ubuntu3.2) gutsy-security; urgency=low

  * SECURITY UPDATE: denial of service or arbitrary code execution via
    integer overflows and memory corruption
  * debian/patches/102_CVE-2008-2662+2663+2664+2725+2726.dpatch: update
    array.c to properly validate the size of an array. Update string.c and
    sprintf.c for proper bounds checking
  * References:
    CVE-2008-2662
    CVE-2008-2663
    CVE-2008-2664
    CVE-2008-2725
    CVE-2008-2726
    LP: #241657

 -- Jamie Strandboge <email address hidden> Wed, 25 Jun 2008 15:31:40 -0400

This bug was fixed in the package ruby1.8 - 1.8.5-4ubuntu2.2

---------------
ruby1.8 (1.8.5-4ubuntu2.2) feisty-security; urgency=low

  * SECURITY UPDATE: denial of service or arbitrary code execution via
    integer overflows and memory corruption
  * debian/patches/952_CVE-2008-2662+2663+2664+2725+2726.patch: update array.c
    to properly validate the size of an array. Update string.c and sprintf.c
    for proper bounds checking
  * References:
    CVE-2008-2662
    CVE-2008-2663
    CVE-2008-2664
    CVE-2008-2725
    CVE-2008-2726
    LP: #241657

 -- Jamie Strandboge <email address hidden> Wed, 25 Jun 2008 15:24:05 -0400

http://www.ubuntu.com/usn/usn-621-1

Fixed in ruby1.9 1.9.0.2-1ubuntu1

from http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/

There is a DoS vulnerability in the REXML library used by Rails to parse incoming XML requests. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML. Most Rails applications will be vulnerable to this attack.
Impact

An attacker can cause a denial of service by causing REXML to parse a document containing recursively nested entities such as:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>

Vulnerable versions
1.8 series

    * 1.8.6-p287 and all prior versions
    * 1.8.7-p72 and all prior versions

1.9 series

    * all versions

Solution

Please download the following monkey patch to fix this problem.

    * <URL:http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb>

Then fix your application to load rexml-expansion-fix.rb before using REXML.

require "rexml-expansion-fix"
...
doc = REXML::Document.new(str)
...

If you have a Rails application, copy rexml-expansion-fix.rb into a directory on the load path (such as RAILS_ROOT/lib/), and put the following line into config/environment.rb.

require "rexml-expansion-fix"

If your application is Rails 2.1 or later, you can simply copy rexml-expansion-fix.rb to RAILS_ROOT/config/initializers and it will be required automatically.

By default, XML entity expansion limit is 10000. You can change it by changing REXML::Document.entity_expansion_limit. e.g.

REXML::Document.entity_expansion_limit = 1000

This fix will be made available as a gem and used by future versions of rails, but users should take corrective action immediately.
Credit

Credit to Luka Treiber and Mitja Kolsek of ACROS Security for disclosing the problem to Ruby and Rails Security Teams.

You can use Ruby 1.8.6 patch 111 in Ubuntu 8.10
See the article: http://railsgeek.com/2008/11/27/ubuntu-8-10-downgrade-ruby-1-8-7-to-1-8-6

Please could someone mark this as Won't Fix for Feisty?

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.