Drew Yao of the Apple Product Security team reported an integer overflow leading to a memory mis-allocation and heap overflow in the rb_ary_store() function used by ruby interpreter for handling arrays. This can be used to crash and possibly execute arbitrary code with the privileges of Ruby application which use untrusted input in array operations. Acknowledgements: Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.
Created attachment 308906 [details] Drew Yao's proposed patch against ruby 1.8.5
Created attachment 308907 [details] Drew Yao's proposed patch against ruby 1.9
Public now, lifting embargo: http://preview.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities Upstream released fixed versions: 1.8.5-p231, 1.8.6-p230, 1.8.7-p22, 1.9.0-2 Patches applied upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17460 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17472
ruby-1.8.6.230-1.fc8 has been submitted as an update for Fedora 8
ruby-1.8.6.230-1.fc9 has been submitted as an update for Fedora 9
ruby-1.8.6.230-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
ruby-1.8.6.230-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0561.html http://rhn.redhat.com/errata/RHSA-2008-0562.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5649 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5664