Drew Yao of the Apple Product Security team reported that the rb_str_format()
function uses alloca() memory allocation function in insecure way, causing
memory address returned by alloca() to be out of stack memory space. This can
be used to crash and possibly execute arbitrary code with the privileges of Ruby
application which use untrusted input in string operations.
Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.
Created attachment 308913 [details]
Drew Yao's proposed patch against ruby 1.8.5
ruby 1.9 does not use alloca in rb_str_format() any more.
Public now, lifting embargo:
Upstream released fixed versions:
1.8.5-p231, 1.8.6-p230, 1.8.7-p22, 1.9.0-2
Patches applied upstream:
ruby-188.8.131.52-1.fc8 has been submitted as an update for Fedora 8
ruby-184.108.40.206-1.fc9 has been submitted as an update for Fedora 9
ruby-220.127.116.11-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
ruby-18.104.22.168-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: