Ruby is an extensible, interpreted, object-oriented, scripting language. Ithas features to process text files and to do system management tasks.A flaw was found in the way large amounts of memory were allocated on64-bit systems when using the BigDecimal class. A context-dependentattacker could use this flaw to cause memory corruption, causing a Rubyapplication that uses the BigDecimal class to crash or, possibly, executearbitrary code. This issue did not affect 32-bit systems. (CVE-2011-0188)A race condition flaw was found in the remove system entries method in theFileUtils module. If a local user ran a Ruby script that uses this method,a local attacker could use this flaw to delete arbitrary files anddirectories accessible to that user via a symbolic link attack.(CVE-2011-1004)It was found that WEBrick (the Ruby HTTP server toolkit) did not filterterminal escape sequences from its log files. A remote attacker could usespecially-crafted HTTP requests to inject terminal escape sequences intothe WEBrick log files. If a victim viewed the log files with a terminalemulator, it could result in control characters being executed with theprivileges of that user. (CVE-2009-4492)A cross-site scripting (XSS) flaw was found in the way WEBrick displayederror pages. A remote attacker could use this flaw to perform a cross-sitescripting attack against victims by tricking them into visiting aspecially-crafted URL. (CVE-2010-0541)A flaw was found in the method for translating an exception message into astring in the Exception class. A remote attacker could use this flaw tobypass safe level 4 restrictions, allowing untrusted (tainted) code tomodify arbitrary, trusted (untainted) strings, which safe level 4restrictions would otherwise prevent. (CVE-2011-1005)Red Hat would like to thank Drew Yao of Apple Product Security forreporting the CVE-2011-0188 and CVE-2010-0541 issues.All Ruby users should upgrade to these updated packages, which containbackported patches to resolve these issues.