USN-900-1: Ruby vulnerabilities

16 February 2010

Ruby vulnerabilities

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

Details

Emmanouel Kellinis discovered that Ruby did not properly handle certain
string operations. An attacker could exploit this issue and possibly
execute arbitrary code with application privileges. (CVE-2009-4124)

Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro discovered that
Ruby did not properly sanitize data written to log files. An attacker could
insert specially-crafted data into log files which could affect certain
terminal emulators and cause arbitrary files to be overwritten, or even
possibly execute arbitrary commands. (CVE-2009-4492)

It was discovered that Ruby did not properly handle string arguments that
represent large numbers. An attacker could exploit this and cause a denial
of service. This issue only affected Ubuntu 9.10. (CVE-2009-1904)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
Ubuntu 9.04
Ubuntu 8.10

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Related notices

  • USN-805-1: libruby1.9, ruby1.8, ruby1.9, libruby1.8