Vigil@nce: Ruby, several vulnerabilities
June 2008 by Vigil@nce
SYNTHESIS
Several Ruby vulnerabilities lead to denials of service or to code
executions.
Gravity: 3/4
Consequences: user access/rights, denial of service of service
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 23/06/2008
Identifier: VIGILANCE-VUL-7905
IMPACTED PRODUCTS
– Debian Linux [confidential versions]
– Unix - plateform
DESCRIPTION
The Ruby language is used to create object oriented scripts. The
Ruby environment contains a language interpreter and a web
service. Six vulnerabilities impact this environment.
The CVE-2008-2662 vulnerability is unknown. [grav:3/4;
CVE-2008-2662]
The CVE-2008-2663 vulnerability is unknown. [grav:3/4;
CVE-2008-2663]
The CVE-2008-2725 vulnerability is unknown. [grav:3/4;
CVE-2008-2725]
Several integer oveflows can occur in array.c (ary_new,
rb_ary_initialize, rb_ary_store, rb_ary_aplice, rb_ary_times). A
memory corruption can occur in (rb_enc_cr_str_buf_cat). [grav:3/4;
CVE-2008-2726]
The CVE-2008-2664 vulnerability is unknown. [grav:3/4;
CVE-2008-2664]
On a NTFS or FAT filesystem, an attacker can read the content of
CGI files. [grav:2/4; CVE-2008-1891]
These vulnerabilities lead to denials of service or to code
executions.
CHARACTERISTICS
Identifiers: BID-29903, CVE-2008-1891, CVE-2008-2662,
CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, CVE-2008-2726, VIGILANCE-VUL-7905