USN-900-1: Ruby vulnerabilities

Releases

• Ubuntu 9.10
• Ubuntu 9.04
• Ubuntu 8.10

Packages

• ruby1.9 -

Details

Emmanouel Kellinis discovered that Ruby did not properly handle certain
string operations. An attacker could exploit this issue and possibly
execute arbitrary code with application privileges. (CVE-2009-4124)

Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro discovered that
Ruby did not properly sanitize data written to log files. An attacker could
insert specially-crafted data into log files which could affect certain
terminal emulators and cause arbitrary files to be overwritten, or even
possibly execute arbitrary commands. (CVE-2009-4492)

It was discovered that Ruby did not properly handle string arguments that
represent large numbers. An attacker could exploit this and cause a denial
of service. This issue only affected Ubuntu 9.10. (CVE-2009-1904)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10

• ruby1.9 - 1.9.0.5-1ubuntu1.2
• libruby1.9 - 1.9.0.5-1ubuntu1.2

Ubuntu 9.04

• ruby1.9 - 1.9.0.2-9ubuntu1.2
• libruby1.9 - 1.9.0.2-9ubuntu1.2

Ubuntu 8.10

• ruby1.9 - 1.9.0.2-7ubuntu1.3
• libruby1.9 - 1.9.0.2-7ubuntu1.3

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

• CVE-2009-1904
• CVE-2009-4124
• CVE-2009-4492

Related notices

• USN-805-1: libruby1.9, ruby1.9, ruby1.8, libruby1.8