GLSA-200812-17 : Ruby: Multiple vulnerabilities

Critical Nessus Plugin ID 35188

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200812-17 (Ruby: Multiple vulnerabilities)

Multiple vulnerabilities have been discovered in the Ruby interpreter and its standard libraries. Drew Yao of Apple Product Security discovered the following flaws:
Arbitrary code execution or Denial of Service (memory corruption) in the rb_str_buf_append() function (CVE-2008-2662).
Arbitrary code execution or Denial of Service (memory corruption) in the rb_ary_stor() function (CVE-2008-2663).
Memory corruption via alloca in the rb_str_format() function (CVE-2008-2664).
Memory corruption ('REALLOC_N') in the rb_ary_splice() and rb_ary_replace() functions (CVE-2008-2725).
Memory corruption ('beg + rlen') in the rb_ary_splice() and rb_ary_replace() functions (CVE-2008-2726).
Furthermore, several other vulnerabilities have been reported:
Tanaka Akira reported an issue with resolv.rb that enables attackers to spoof DNS responses (CVE-2008-1447).
Akira Tagoh of RedHat discovered a Denial of Service (crash) issue in the rb_ary_fill() function in array.c (CVE-2008-2376).
Several safe level bypass vulnerabilities were discovered and reported by Keita Yamaguchi (CVE-2008-3655).
Christian Neukirchen is credited for discovering a Denial of Service (CPU consumption) attack in the WEBRick HTTP server (CVE-2008-3656).
A fault in the dl module allowed the circumvention of taintness checks which could possibly lead to insecure code execution was reported by 'sheepman' (CVE-2008-3657).
Tanaka Akira again found a DNS spoofing vulnerability caused by the resolv.rb implementation using poor randomness (CVE-2008-3905).
Luka Treiber and Mitja Kolsek (ACROS Security) disclosed a Denial of Service (CPU consumption) vulnerability in the REXML module when dealing with recursive entity expansion (CVE-2008-3790).
Impact :

These vulnerabilities allow remote attackers to execute arbitrary code, spoof DNS responses, bypass Ruby's built-in security and taintness checks, and cause a Denial of Service via crash or CPU exhaustion.
Workaround :

There is no known workaround at this time.

Solution

All Ruby users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=dev-lang/ruby-1.8.6_p287-r1'

See Also

https://security.gentoo.org/glsa/200812-17

Plugin Details

Severity: Critical

ID: 35188

File Name: gentoo_GLSA-200812-17.nasl

Version: 1.32

Type: local

Published: 2008/12/17

Updated: 2019/08/02

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 6.7

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:ruby, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2008/12/16

Reference Information

CVE: CVE-2008-1447, CVE-2008-2376, CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, CVE-2008-2726, CVE-2008-3655, CVE-2008-3656, CVE-2008-3657, CVE-2008-3790, CVE-2008-3905

BID: 29903, 30036, 30131, 30644, 30802, 31699

GLSA: 200812-17

IAVA: 2008-A-0045

CWE: 20, 189, 264, 287, 399