Ruby rb_str_format function code execution

ruby-rbstrformat-code-execution (43348) The risk level is classified as HighHigh Risk

Description:

Ruby could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption error in the rb_str_format function. An attacker could exploit this vulnerability using unknown attack vectors related to alloca to corrupt memory and possibly execute arbitrary code or cause the affected application to crash.

Platforms Affected:

  • Canonical, Ubuntu 6.06 LTS
  • Canonical, Ubuntu 7.04
  • Canonical, Ubuntu 7.10
  • Canonical, Ubuntu 8.04 LTS
  • Debian, Debian Linux 4.0
  • MandrakeSoft, Mandrake Linux 2007.1 X86_64
  • MandrakeSoft, Mandrake Linux 2007.1
  • MandrakeSoft, Mandrake Linux 2008.0 X86_64
  • MandrakeSoft, Mandrake Linux 2008.0
  • MandrakeSoft, Mandrake Linux 2008.1
  • MandrakeSoft, Mandrake Linux 2008.1 X86_64
  • MandrakeSoft, Mandrake Linux Corporate Server 3.0
  • MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
  • MandrakeSoft, Mandrake Linux Corporate Server 4.0
  • MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64
  • RedHat, Enterprise Linux 2.1 ES
  • RedHat, Enterprise Linux 2.1 AS
  • RedHat, Enterprise Linux 2.1 WS
  • RedHat, Enterprise Linux 3 AS
  • RedHat, Enterprise Linux 3 ES
  • RedHat, Enterprise Linux 3 WS
  • RedHat, Enterprise Linux 3 Desktop
  • RedHat, Enterprise Linux 4 Desktop
  • RedHat, Enterprise Linux 4 AS
  • RedHat, Enterprise Linux 4 ES
  • RedHat, Enterprise Linux 4 WS
  • RedHat, Enterprise Linux 5 Client
  • RedHat, Enterprise Linux 5 Client Workstation
  • RedHat, Enterprise Linux 5
  • Yukihiro Matsumoto, Ruby 1.8.5-p230 and prior
  • Yukihiro Matsumoto, Ruby 1.8.6-p229 and prior
  • Yukihiro Matsumoto, Ruby 1.8.7 P21
  • Yukihiro Matsumoto, Ruby 1.9.0-1 and prior

Remedy:

Apply the patch for this vulnerability (1.8.5-p231, 1.8.6-p230, 1.8.7-p22, or 1.9.0-2), available from the Ruby Programming Language Web site. See References.

Consequences:

Gain Access

References:

  • Ruby Programming Language Web site, Arbitrary code execution vulnerabilities at http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities.
  • ASA-2008-295: ruby security update (RHSA-2008-0561)
  • ASA-2008-297: ruby security update (RHSA-2008-0562)
  • BID-29903: Ruby Multiple Array and String Handling Functions Multiple Arbitrary Code Execution Vulnerabilities
  • CVE-2008-2664: The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
  • DSA-1612: ruby1.8 -- several vulnerabilities
  • DSA-1618: ruby1.9 -- several vulnerabilities
  • FrSIRT/ADV-2008-1907: Ruby Data Handling Denial of Service and Code Execution Vulnerabilities
  • FrSIRT/ADV-2008-1981: Apple Mac OS X Command Execution and Security Bypass Issues
  • MDVSA-2008:140: Updated ruby packages fix vulnerabilities
  • MDVSA-2008:141: Updated ruby packages fix vulnerabilities
  • MDVSA-2008:142: Updated ruby packages fix vulnerabilities
  • RHSA-2008-0561: Moderate: ruby security update
  • RHSA-2008-0562: Moderate: ruby security update
  • SA30802: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
  • SECTRACK ID: 1020347: Ruby Bugs Let Users Deny Service and Execute Arbitrary Code
  • SUSE-SR:2008:017: SUSE Security Summary Report
  • USN-621-1: Ruby vulnerabilities

Reported:

Jun 20, 2008

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page