Rapid7 Vulnerability & Exploit Database

RHSA-2011:0910: ruby security update

Back to Search

RHSA-2011:0910: ruby security update

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
03/22/2011
Created
07/25/2018
Added
07/05/2011
Modified
07/04/2017

Description

Ruby is an extensible, interpreted, object-oriented, scripting language. Ithas features to process text files and to do system management tasks.A flaw was found in the way large amounts of memory were allocated on64-bit systems when using the BigDecimal class. A context-dependentattacker could use this flaw to cause memory corruption, causing a Rubyapplication that uses the BigDecimal class to crash or, possibly, executearbitrary code. This issue did not affect 32-bit systems. (CVE-2011-0188)A race condition flaw was found in the remove system entries method in theFileUtils module. If a local user ran a Ruby script that uses this method,a local attacker could use this flaw to delete arbitrary files anddirectories accessible to that user via a symbolic link attack.(CVE-2011-1004)A flaw was found in the method for translating an exception message into astring in the Exception class. A remote attacker could use this flaw tobypass safe level 4 restrictions, allowing untrusted (tainted) code tomodify arbitrary, trusted (untainted) strings, which safe level 4restrictions would otherwise prevent. (CVE-2011-1005)Red Hat would like to thank Drew Yao of Apple Product Security forreporting the CVE-2011-0188 issue.All Ruby users should upgrade to these updated packages, which containbackported patches to resolve these issues.

Solution(s)

  • redhat-upgrade-ruby
  • redhat-upgrade-ruby-debuginfo
  • redhat-upgrade-ruby-devel
  • redhat-upgrade-ruby-docs
  • redhat-upgrade-ruby-irb
  • redhat-upgrade-ruby-libs
  • redhat-upgrade-ruby-rdoc
  • redhat-upgrade-ruby-ri
  • redhat-upgrade-ruby-static
  • redhat-upgrade-ruby-tcltk

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;