Drew Yao of the Apple Product Security team reported an integer overflow leading
to a memory mis-allocation and heap overflow in the rb_ary_store() function
used by ruby interpreter for handling arrays. This can be used to crash and
possibly execute arbitrary code with the privileges of Ruby application which
use untrusted input in array operations.
Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.
Created attachment 308906 [details]
Drew Yao's proposed patch against ruby 1.8.5
Created attachment 308907 [details]
Drew Yao's proposed patch against ruby 1.9
Public now, lifting embargo:
Upstream released fixed versions:
1.8.5-p231, 1.8.6-p230, 1.8.7-p22, 1.9.0-2
Patches applied upstream:
ruby-188.8.131.52-1.fc8 has been submitted as an update for Fedora 8
ruby-184.108.40.206-1.fc9 has been submitted as an update for Fedora 9
ruby-220.127.116.11-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
ruby-18.104.22.168-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: