Debian: New ruby1.8 packages fix several vulnerabilities
Posted by Benjamin D. Thomas   
Debian Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code.
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1612-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
July 21, 2008                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : ruby1.8
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 CVE-2008-2376

Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may lead to denial of service or the
execution of arbitrary code. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2006-2662

    Drew Yao discovered that multiple integer overflows in the string
    processing code may lead to denial of service and potentially the
    execution of arbitrary code.

CVE-2008-2663

    Drew Yao discovered that multiple integer overflows in the string
    processing code may lead to denial of service and potentially the
    execution of arbitrary code.

CVE-2008-2664

    Drew Yao discovered that a programming error in the string
    processing code may lead to denial of service and potentially the
    execution of arbitrary code.

CVE-2008-2725

    Drew Yao discovered that an integer overflow in the array handling
    code may lead to denial of service and potentially the execution
    of arbitrary code.

CVE-2008-2726

    Drew Yao discovered that an integer overflow in the array handling
    code may lead to denial of service and potentially the execution
    of arbitrary code.

CVE-2008-2376

    It was discovered that an integer overflow in the array handling
    code may lead to denial of service and potentially the execution
    of arbitrary code.

For the stable distribution (etch), these problems have been fixed in
version 1.8.5-4etch2.

For the unstable distribution (sid), these problems have been fixed in
version 1.8.7.22-2.

We recommend that you upgrade your ruby1.8 packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for amd64, arm, hppa, i386, ia64, mipsel, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5.orig.tar.gz
    Size/MD5 checksum:  4434227 aae9676332fcdd52f66c3d99b289878f
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2.diff.gz
    Size/MD5 checksum:   100878 f55f4e2a0ca298d6312a8e3c4618da0f
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2.dsc
    Size/MD5 checksum:     1079 02286e0f1885c65a9d1fdad5bd933ac7

Architecture independent packages:

  http://security.debian.org/pool/updates/main/r/ruby1.8/rdoc1.8_1.8.5-4etch2_all.deb
    Size/MD5 checksum:   309932 0d08bd3d9b467f82df59811dcb4ffd10
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-elisp_1.8.5-4etch2_all.deb
    Size/MD5 checksum:   209874 76ab42ff282540121b1ffa23b8c34208
  http://security.debian.org/pool/updates/main/r/ruby1.8/irb1.8_1.8.5-4etch2_all.deb
    Size/MD5 checksum:   235238 d1f242b11d00199ecedf64cac2c6ac44
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-examples_1.8.5-4etch2_all.deb
    Size/MD5 checksum:   242330 11359f9774006c02ca68402b1a6c021e
  http://security.debian.org/pool/updates/main/r/ruby1.8/ri1.8_1.8.5-4etch2_all.deb
    Size/MD5 checksum:  1228716 cacd1dfc0b53e163adf3090175d85260

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_amd64.deb
    Size/MD5 checksum:   302500 42fb912eed252ddf0c0e0d1ded838375
  http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_amd64.deb
    Size/MD5 checksum:   197696 9388576f466a8d757a261653be326a64
  http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_amd64.deb
    Size/MD5 checksum:   198304 6dd9e7ffc83e0a343acc5d9360233724
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_amd64.deb
    Size/MD5 checksum:  1584450 7bfff8f2effc86fefd21cad2ad7aefe2
  http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_amd64.deb
    Size/MD5 checksum:   197264 34559ddb2772bd4e4b4e9438da43b012
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_amd64.deb
    Size/MD5 checksum:  1068156 13587924fe8611ee3248d69615b77ff9
  http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_amd64.deb
    Size/MD5 checksum:  1863884 c9f007e6a0388f91463d422e9f88af00
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_amd64.deb
    Size/MD5 checksum:   748210 55373ce2ec797ad0334761d19e21ed04
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_amd64.deb
    Size/MD5 checksum:   216876 c45424af2eff7d0894d8b45f02531ae0

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_arm.deb
    Size/MD5 checksum:   196940 a62011688ef13cbc74632695d8360744
  http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_arm.deb
    Size/MD5 checksum:   197322 edf088cbecf6685fcd8455b9f787e207
  http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_arm.deb
    Size/MD5 checksum:  1858580 7ccb22d6b10c2d2f8016c4a37488354e
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_arm.deb
    Size/MD5 checksum:  1524706 458dc14e9530cf12e2c109001ee6f502
  http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_arm.deb
    Size/MD5 checksum:   196234 0b8141526f878fb32dd041d36dfe438d
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_arm.deb
    Size/MD5 checksum:   992648 fbaf16530fa84811a4f5c6ef1c3f1396
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_arm.deb
    Size/MD5 checksum:   218902 6fed18d07c5589012711dcffd2c47654
  http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_arm.deb
    Size/MD5 checksum:   287070 e24374581f184cb912ab1c2904de4c52
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_arm.deb
    Size/MD5 checksum:   696944 8a4a676931c6659d266f834e32ff3473

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_hppa.deb
    Size/MD5 checksum:   198692 837006b2872f955dd9ec506e913e7b65
  http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_hppa.deb
    Size/MD5 checksum:  1868624 391adcb7da667e079e38b31957639921
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_hppa.deb
    Size/MD5 checksum:   218760 9257f4fc3685c20dfea925a3b375df6c
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_hppa.deb
    Size/MD5 checksum:  1041804 7617254859485b415d7abe4e44f97e20
  http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_hppa.deb
    Size/MD5 checksum:   199398 8de28dbbcaccd932cdf4b1368de85fa3
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_hppa.deb
    Size/MD5 checksum:  1675058 d4d8d05f55e84ac811a4a23379d2fccf
  http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_hppa.deb
    Size/MD5 checksum:   315826 5ba45a9cab7c98a9863790f0ddb5e032
  http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_hppa.deb
    Size/MD5 checksum:   199712 7eba9eec4404e39ba3a05d0ba7182aaf
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_hppa.deb
    Size/MD5 checksum:   823768 c5872e31690ebf1f937ae5921e09d6ee

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_i386.deb
    Size/MD5 checksum:   197152 cc0255b2d30f2868b3a35131baea785e
  http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_i386.deb
    Size/MD5 checksum:   197458 23448fa802f56b0353e146dd95798b40
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_i386.deb
    Size/MD5 checksum:  1529512 e554018801428fcc8a0eb270cecbe0a1
  http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_i386.deb
    Size/MD5 checksum:  1830888 cfe09cb1dee2dc0ec663b764016c5c41
  http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_i386.deb
    Size/MD5 checksum:   292002 669ff5d31b18e684695fcc585bbcf37d
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_i386.deb
    Size/MD5 checksum:   217452 fd84d502e12c0ed9dcb9931533bedf14
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_i386.deb
    Size/MD5 checksum:   719152 eb2bb629d207bdb94513224cd696133a
  http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_i386.deb
    Size/MD5 checksum:   197870 8dda63e50264e70657c900bf0e31268a
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_i386.deb
    Size/MD5 checksum:  1002688 9f9723f995389d89c8edff650cd80572

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_ia64.deb
    Size/MD5 checksum:  1861398 da0a8b6f595234f6362108c53d4b8527
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_ia64.deb
    Size/MD5 checksum:   971210 96f9b9c22c86efba9a9677ff97543ba7
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_ia64.deb
    Size/MD5 checksum:  1025826 a0282c8d5148ee5530ddcb1918aa6393
  http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_ia64.deb
    Size/MD5 checksum:   202014 60855e63b50d60c6446699ca8a9e5f9a
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_ia64.deb
    Size/MD5 checksum:  1893652 99e42c9ff74db67737bc1037a668bd81
  http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_ia64.deb
    Size/MD5 checksum:   201044 53faf98cdde5801097f06c669ef31997
  http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_ia64.deb
    Size/MD5 checksum:   202966 d5ad616f41e4c71fcab98abc32af8425
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_ia64.deb
    Size/MD5 checksum:   218178 814d14acfbc5060ce05f5610185bacef
  http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_ia64.deb
    Size/MD5 checksum:   330138 87b96dd77f226d1b156aa41cbd50e869

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_mipsel.deb
    Size/MD5 checksum:   217702 035d0564ca69caf6291f91b396afd933
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_mipsel.deb
    Size/MD5 checksum:  1059672 ae82660099169f05b832ea65b5875f42
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_mipsel.deb
    Size/MD5 checksum:   792918 6daa1c239c1875477c369d662c1c7990
  http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_mipsel.deb
    Size/MD5 checksum:   278810 b1ef2497c40951b0f55afbeb9b2b5a73
  http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_mipsel.deb
    Size/MD5 checksum:   197272 ca8b731d68d2ef0ecab3f8d46421e390
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_mipsel.deb
    Size/MD5 checksum:  1536298 72ed58d1217e07ec4ff4c536e426b112
  http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_mipsel.deb
    Size/MD5 checksum:   197624 77f168b7b16d958921c399ec2fb2c55d
  http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_mipsel.deb
    Size/MD5 checksum:  1829844 d73c28a07fc670c515d35e5f4cc460de
  http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_mipsel.deb
    Size/MD5 checksum:   196686 7a50283b0c21e6c374254274587a250c

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_s390.deb
    Size/MD5 checksum:   217566 ff62230e9213127217ba40da20bc6dbb
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_s390.deb
    Size/MD5 checksum:   778968 84b097fa479926caef58f0cde5c6cc58
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_s390.deb
    Size/MD5 checksum:  1051808 c06ced9c1c2cf67d499266ce98809448
  http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_s390.deb
    Size/MD5 checksum:   198216 9ebd6482767e58cfc7b77778a48dc54b
  http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_s390.deb
    Size/MD5 checksum:   304860 1609587558238fabdafff4f25fab5693
  http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_s390.deb
    Size/MD5 checksum:  1838646 b969d38b082b4554e2a68784a872d32f
  http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_s390.deb
    Size/MD5 checksum:   198530 6e9d131297d20789402f06b598bf31a5
  http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_s390.deb
    Size/MD5 checksum:   199016 d365604deac86ffe016706a4d53a41f8
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_s390.deb
    Size/MD5 checksum:  1617614 d136348e15e9c521e9df47c4725cae99

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_sparc.deb
    Size/MD5 checksum:   197476 5ad505e06bfd48a7a52d31b04282ce75
  http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_sparc.deb
    Size/MD5 checksum:   295616 6999ddde1719965f55cb431435c77ac6
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_sparc.deb
    Size/MD5 checksum:   217478 6ffe8d27ff16d0d885bd41e8cf5356e2
  http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_sparc.deb
    Size/MD5 checksum:   740760 1a9e73da21a894b10ebdd88675340247
  http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_sparc.deb
    Size/MD5 checksum:   197526 329124a906b7eb6ba13c30864ff59373
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_sparc.deb
    Size/MD5 checksum:  1540818 b827798d6293c28046527b96b733818b
  http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_sparc.deb
    Size/MD5 checksum:   961112 efe54a61cd55bf6f7de9417941795f29
  http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_sparc.deb
    Size/MD5 checksum:   196756 c4741cba5f54a703cdcba0fe027a6468
  http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_sparc.deb
    Size/MD5 checksum:  1832852 8286b329ab1bad7793d827e33bae56c2


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org