Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option.

This update of ruby fixes :

  - a possible information leakage. (CVE-2008-1145) 

  - a directory traversal bug in WEBrick. (CVE-2008-1891) 

  - various memory corruptions and integer overflows in     array and string handling. (CVE-2008-2662,     CVE-2008-2663, CVE-2008-2664, CVE-2008-2725,     CVE-2008-2726, CVE-2008-2727, CVE-2008-2728)

This update of ruby fixes :

  - a possible information leakage (CVE-2008-1145) 

  - a directory traversal bug (CVE-2008-1891) in WEBrick 

  - various memory corruptions and integer overflows in     array and string handling (CVE-2008-2662, CVE-2008-2663,     CVE-2008-2664, CVE-2008-2725, CVE-2008-2726,     CVE-2008-2727, CVE-2008-2728)

Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby.

Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash () path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) ..%5c (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. (CVE-2008-1145)

Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. (CVE-2008-1891)

Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption.
(CVE-2008-2662)

Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors.
(CVE-2008-2663)

The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca. (CVE-2008-2664)

Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the REALLOC_N variant.
(CVE-2008-2725)

Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption, aka the beg + rlen issue.
(CVE-2008-2726)

Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. (CVE-2008-2376)

The updated packages have been patched to fix these issues.

Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby.

Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. (CVE-2008-1891)

Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption.
(CVE-2008-2662)

Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors.
(CVE-2008-2663)

The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca. (CVE-2008-2664)

Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the REALLOC_N variant.
(CVE-2008-2725)

Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption, aka the beg + rlen issue.
(CVE-2008-2726)

Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. (CVE-2008-2376)

The updated packages have been patched to fix these issues.

This update of ruby fixes :

  - a possible information leakage. (CVE-2008-1145)

  - a directory traversal bug (CVE-2008-1891) in WEBrick

  - various memory corruptions and integer overflows in     array and string handling. (CVE-2008-2662 /     CVE-2008-2663 / CVE-2008-2664 / CVE-2008-2725 /     CVE-2008-2726 / CVE-2008-2727 / CVE-2008-2728)

- Tue Jun 24 2008 Akira TAGOH <tagoh at redhat.com> -     1.8.6.230-1

    - New upstream release.

    - Security fixes. (#452294).

    - CVE-2008-1891: WEBrick CGI source disclosure.

    - CVE-2008-2662: Integer overflow in       rb_str_buf_append().

    - CVE-2008-2663: Integer overflow in rb_ary_store().

    - CVE-2008-2664: Unsafe use of alloca in       rb_str_format().

    - CVE-2008-2725: Integer overflow in rb_ary_splice().

    - CVE-2008-2726: Integer overflow in rb_ary_splice().

    - ruby-1.8.6.111-CVE-2007-5162.patch: removed.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Tue Jun 24 2008 Akira TAGOH <tagoh at redhat.com> -     1.8.6.230-1

    - New upstream release.

    - Security fixes. (#452293)

    - CVE-2008-1891: WEBrick CGI source disclosure.

    - CVE-2008-2662: Integer overflow in       rb_str_buf_append().

    - CVE-2008-2663: Integer overflow in rb_ary_store().

    - CVE-2008-2664: Unsafe use of alloca in       rb_str_format().

    - CVE-2008-2725: Integer overflow in rb_ary_splice().

    - CVE-2008-2726: Integer overflow in rb_ary_splice().

    - ruby-1.8.6.111-CVE-2007-5162.patch: removed.

    - Tue Mar 4 2008 Akira TAGOH <tagoh at redhat.com> -       1.8.6.114-1

    - Security fix for CVE-2008-1145.

    - Improve a spec file. (#226381)

    - Correct License tag.

    - Fix a timestamp issue.

    - Own a arch-specific directory.

    - Tue Feb 19 2008 Fedora Release Engineering <rel-eng at       fedoraproject.org> - 1.8.6.111-9

    - Autorebuild for GCC 4.3

    - Tue Feb 19 2008 Akira TAGOH <tagoh at redhat.com> -       1.8.6.111-8

    - Rebuild for gcc-4.3.

    - Tue Jan 15 2008 Akira TAGOH <tagoh at redhat.com> -       1.8.6.111-7

    - Revert the change of libruby-static.a. (#428384)

    - Fri Jan 11 2008 Akira TAGOH <tagoh at redhat.com> -       1.8.6.111-6

    - Fix an unnecessary replacement for shebang. (#426835)

    - Fri Jan 4 2008 Akira TAGOH <tagoh at redhat.com> -       1.8.6.111-5

    - Rebuild.

    - Fri Dec 28 2007 Akira TAGOH <tagoh at redhat.com> -       1.8.6.111-4

    - Clean up again.

    - Fri Dec 21 2007 Akira TAGOH <tagoh at redhat.com> -       1.8.6.111-3

    - Clean up the spec file.

    - Remove ruby-man-1.4.6 stuff. this is entirely the       out-dated document. this could be replaced by ri.

  - Disable the static library building.

    - Tue Dec 4 2007 Release Engineering <rel-eng at       fedoraproject dot org> - 1.8.6.111-2

    - Rebuild for openssl bump

    - Wed Oct 31 2007 Akira TAGOH <tagoh at redhat.com>

    - Fix the dead link.

    - Mon Oct 29 2007 Akira TAGOH <tagoh at redhat.com> -       1.8.6.111-1

    - New upstream release.

    - ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with       backporting the changes at trunk to enable the fix       without any modifications on the users' scripts. Note       that Net::HTTP#enable_post_connection_check isn't       available anymore. If you want to disable this       post-check, you should give OpenSSL::SSL::VERIFY_NONE       to Net::HTTP#verify_mode= instead of.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote instance of WEBrick, a standard library of Ruby to implement HTTP servers, allows an attacker to view the source of CGI scripts hosted by the affected application by appending to the URL certain characters, such as '+', '%2b', '.', '%2e', or '%20'. 

Note that successful exploitation may be dependent on the underlying remote filesystem, for example FAT32 and NTFS.

ID	Name	Product	Family	Severity
41228	SuSE9 Security Update : Ruby (YOU Patch Number 12214)	Nessus	SuSE Local Security Checks	critical
40121	openSUSE Security Update : ruby (ruby-123)	Nessus	SuSE Local Security Checks	critical
37401	Mandriva Linux Security Advisory : ruby (MDVSA-2008:141)	Nessus	Mandriva Local Security Checks	critical
36689	Mandriva Linux Security Advisory : ruby (MDVSA-2008:140)	Nessus	Mandriva Local Security Checks	critical
34028	openSUSE 10 Security Update : ruby (ruby-5483)	Nessus	SuSE Local Security Checks	critical
34020	SuSE 10 Security Update : Ruby (ZYPP Patch Number 5484)	Nessus	SuSE Local Security Checks	critical
33261	Fedora 9 : ruby-1.8.6.230-1.fc9 (2008-5664)	Nessus	Fedora Local Security Checks	critical
33260	Fedora 8 : ruby-1.8.6.230-1.fc8 (2008-5649)	Nessus	Fedora Local Security Checks	critical
31865	WEBrick Encoded Traversal Arbitrary CGI Source Disclosure	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2008-1891

medium

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

medium