CVE-2008-2725
published 2008-06-24CVE-2008-2725: Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and…
PriorityP434high7.8CVSS 2.0
AVNACLAuNCNINAC
EPSS
3.70%
88.4th percentile
Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| ruby-lang | ruby | < 1.8.5.231 | 1.8.5.231 |
| ruby-lang | ruby | <= 1.8.4 | — |
| ruby-lang | ruby | >= 1.8.5 < 1.8.5.231 | 1.8.5.231 |
| ruby-lang | ruby | >= 1.8.6 < 1.8.6.230 | 1.8.6.230 |
| ruby-lang | ruby | >= 1.8.7 < 1.8.7.22 | 1.8.7.22 |
| ruby-lang | ruby | >= 1.9.0 < 1.9.0.2 | 1.9.0.2 |
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-924x-9756-qq8p: Integer overflow in the (1) rb_ary_splice function in Ruby 1
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2008-2725 [CRITICAL] GHSA-924x-9756-qq8p: Integer overflow in the (1) rb_ary_splice function in Ruby 1
Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
GHSA
GHSA-c4h6-p7gp-39x2: The rb_str_format function in Ruby 1
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2008-2664 [CRITICAL] GHSA-c4h6-p7gp-39x2: The rb_str_format function in Ruby 1
The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
GHSA
GHSA-8rh4-h2wx-5jpx: Multiple integer overflows in the rb_ary_store function in Ruby 1
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2008-2663 [CRITICAL] CWE-190 GHSA-8rh4-h2wx-5jpx: Multiple integer overflows in the rb_ary_store function in Ruby 1
Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
GHSA
GHSA-6wwf-x53r-5qqq: Multiple integer overflows in the rb_str_buf_append function in Ruby 1
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2008-2662 [CRITICAL] GHSA-6wwf-x53r-5qqq: Multiple integer overflows in the rb_str_buf_append function in Ruby 1
Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2008-06-26·CVSS 10.0
CVE-2008-2725 [CRITICAL] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Ruby vulnerabilities
Drew Yao discovered several vulnerabilities in Ruby which lead to integer
overflows. If a user or automated system were tricked into running a
malicious script, an attacker could cause a denial of service or execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726)
Drew Yao discovered that Ruby did not sanitize its input when using ALLOCA.
If a user or automated system were tricked into running a malicious script,
an attacker could cause a denial of service via memory corruption.
(CVE-2008-2664)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
ruby: Integer overflows in rb_str_buf_append()
vendor_redhat·2008-06-20·CVSS 10.0
CVE-2008-2662 [CRITICAL] CWE-190 ruby: Integer overflows in rb_str_buf_append()
ruby: Integer overflows in rb_str_buf_append()
Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change.
Red Hat
ruby: Unsafe use of alloca in rb_str_format()
vendor_redhat·2008-06-20·CVSS 10.0
CVE-2008-2664 [CRITICAL] ruby: Unsafe use of alloca in rb_str_format()
ruby: Unsafe use of alloca in rb_str_format()
The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
Red Hat
ruby: Integer overflows in rb_ary_store()
vendor_redhat·2008-06-20·CVSS 10.0
CVE-2008-2663 [CRITICAL] CWE-190 ruby: Integer overflows in rb_ary_store()
ruby: Integer overflows in rb_ary_store()
Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
Red Hat
ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N
vendor_redhat·2008-06-20·CVSS 10.0
CVE-2008-2725 [CRITICAL] CWE-190 ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N
ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N
Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2008-2725 ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N
bugzilla·2008-06-17·CVSS 7.8
CVE-2008-2725 [HIGH] CVE-2008-2725 ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N
CVE-2008-2725 ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N
Drew Yao of the Apple Product Security team reported an integer overflow leading
to a memory mis-allocation and heap overflow in the rb_ary_splice() function
used by ruby interpreter for handling arrays. Problematic reallocation is:
if (len >= RARRAY(ary)->aux.capa) {
--> REALLOC_N(RARRAY(ary)->ptr, VALUE, len);
RARRAY(ary)->aux.capa = len;
}
This flaw can be used to crash and possibly execute arbitrary code with the
privileges of Ruby application which use untrusted input in array operations.
Acknowledgements:
Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.
Discussion:
Created attachment 309637
Drew Yao's proposed patch against ruby 1.8.5
---
Create
Bugzilla
CVE-2008-2727 ruby: integer overflow in rb_ary_replace() (ruby-1.6.x) - REALLOC_N
bugzilla·2008-06-17·CVSS 7.8
CVE-2008-2727 [HIGH] CVE-2008-2727 ruby: integer overflow in rb_ary_replace() (ruby-1.6.x) - REALLOC_N
CVE-2008-2727 ruby: integer overflow in rb_ary_replace() (ruby-1.6.x) - REALLOC_N
Drew Yao of the Apple Product Security team reported an integer overflow leading
to a memory mis-allocation and heap overflow in the rb_ary_splice() function
used by ruby interpreter for handling arrays. For details, see:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2725
Ruby 1.6.x does not have rb_ary_splice(), but the same vulnerable code exists in
the rb_ary_replace() function. This issue is a ruby 1.6.x equivalent of
CVE-2008-2725.
Discussion:
Drew Yao's patch for rb_ary_splice():
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2725#c1
---
Public now, lifting embargo:
http://preview.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities
Patches applied upstream: (r
Bugzilla
CVE-2008-2726 ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen
bugzilla·2008-06-17·CVSS 7.8
CVE-2008-2726 [HIGH] CVE-2008-2726 ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen
CVE-2008-2726 ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen
Drew Yao of the Apple Product Security team reported an integer overflow leading
to a bypass of memory re-allocation causing a heap overflow in the
rb_ary_splice() function used by ruby interpreter for handling arrays.
Problematic addition that may overflow:
if (beg >= RARRAY(ary)->len) {
--> len = beg + rlen;
if (len >= RARRAY(ary)->aux.capa) {
REALLOC_N(RARRAY(ary)->ptr, VALUE, len);
The addition may overflow causing len to be negative and due to that, REALLOC_N
is not called.
This flaw can be used to crash and possibly execute arbitrary code with the
privileges of Ruby application which use untrusted input in array operations.
Acknowledgements:
Red Hat would like to thank Drew Yao of the Apple Prod
Bugzilla
CVE-2008-2728 ruby: integer overflow in rb_ary_replace() (ruby-1.6.x) - beg + rlen
bugzilla·2008-06-17·CVSS 7.8
CVE-2008-2728 [HIGH] CVE-2008-2728 ruby: integer overflow in rb_ary_replace() (ruby-1.6.x) - beg + rlen
CVE-2008-2728 ruby: integer overflow in rb_ary_replace() (ruby-1.6.x) - beg + rlen
Drew Yao of the Apple Product Security team reported an integer overflow leading
to a bypass of memory re-allocation causing a heap overflow in the
rb_ary_splice() function used by ruby interpreter for handling arrays. For
details, see:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2726
Ruby 1.6.x does not have rb_ary_splice(), but the same vulnerable code exists in
the rb_ary_replace() function. This issue is a ruby 1.6.x equivalent of
CVE-2008-2726.
Discussion:
Drew Yao's patch for rb_ary_splice():
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2725#c1
---
Public now, lifting embargo:
http://preview.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities
Patches appl
http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.htmlhttp://secunia.com/advisories/30802http://secunia.com/advisories/30831http://secunia.com/advisories/30867http://secunia.com/advisories/30875http://secunia.com/advisories/30894http://secunia.com/advisories/31062http://secunia.com/advisories/31090http://secunia.com/advisories/31181http://secunia.com/advisories/31256http://secunia.com/advisories/31687http://secunia.com/advisories/33178http://security.gentoo.org/glsa/glsa-200812-17.xmlhttp://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562http://support.apple.com/kb/HT2163http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilitieshttp://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206http://www.debian.org/security/2008/dsa-1612http://www.debian.org/security/2008/dsa-1618http://www.mandriva.com/security/advisories?name=MDVSA-2008:140http://www.mandriva.com/security/advisories?name=MDVSA-2008:141http://www.mandriva.com/security/advisories?name=MDVSA-2008:142http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/http://www.redhat.com/archives/fedora-security-commits/2008-June/msg00005.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0561.htmlhttp://www.ruby-forum.com/topic/157034http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.htmlhttp://www.securityfocus.com/archive/1/493688/100/0/threadedhttp://www.securityfocus.com/bid/29903http://www.securitytracker.com/id?1020347http://www.ubuntu.com/usn/usn-621-1http://www.vupen.com/english/advisories/2008/1907/referenceshttp://www.vupen.com/english/advisories/2008/1981/referenceshttp://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.htmlhttps://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/241657https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2727https://exchange.xforce.ibmcloud.com/vulnerabilities/43350https://issues.rpath.com/browse/RPL-2626https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9606https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.htmlhttp://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.htmlhttp://secunia.com/advisories/30802http://secunia.com/advisories/30831http://secunia.com/advisories/30867http://secunia.com/advisories/30875http://secunia.com/advisories/30894http://secunia.com/advisories/31062http://secunia.com/advisories/31090http://secunia.com/advisories/31181http://secunia.com/advisories/31256http://secunia.com/advisories/31687http://secunia.com/advisories/33178http://security.gentoo.org/glsa/glsa-200812-17.xmlhttp://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562http://support.apple.com/kb/HT2163http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilitieshttp://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206http://www.debian.org/security/2008/dsa-1612http://www.debian.org/security/2008/dsa-1618http://www.mandriva.com/security/advisories?name=MDVSA-2008:140http://www.mandriva.com/security/advisories?name=MDVSA-2008:141http://www.mandriva.com/security/advisories?name=MDVSA-2008:142http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/http://www.redhat.com/archives/fedora-security-commits/2008-June/msg00005.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0561.htmlhttp://www.ruby-forum.com/topic/157034http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.htmlhttp://www.securityfocus.com/archive/1/493688/100/0/threadedhttp://www.securityfocus.com/bid/29903http://www.securitytracker.com/id?1020347http://www.ubuntu.com/usn/usn-621-1http://www.vupen.com/english/advisories/2008/1907/referenceshttp://www.vupen.com/english/advisories/2008/1981/referenceshttp://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.htmlhttps://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/241657https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2727https://exchange.xforce.ibmcloud.com/vulnerabilities/43350https://issues.rpath.com/browse/RPL-2626https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9606https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html
2008-06-24
Published