CVE-2008-2726
published 2008-06-24CVE-2008-2726: Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and…
PriorityP335high7.8CVSS 2.0
AVNACLAuNCNINAC
EPSS
3.76%
88.5th percentile
Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption, aka the "beg + rlen" issue. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| ruby-lang | ruby | <= 1.8.4 | — |
| ruby-lang | ruby | >= 1.8.5 < 1.8.5.231 | 1.8.5.231 |
| ruby-lang | ruby | >= 1.8.6 < 1.8.6.230 | 1.8.6.230 |
| ruby-lang | ruby | >= 1.8.7 < 1.8.7.22 | 1.8.7.22 |
| ruby-lang | ruby | >= 1.9.0 < 1.9.0.2 | 1.9.0.2 |
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vendor_ubuntu10.0CRITICAL
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v2mw-g73g-923h: Integer overflow in the (1) rb_ary_splice function in Ruby 1
ghsa_unreviewed·2022-05-01
CVE-2008-2726 [HIGH] GHSA-v2mw-g73g-923h: Integer overflow in the (1) rb_ary_splice function in Ruby 1
Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption, aka the "beg + rlen" issue. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2008-06-26·CVSS 10.0
CVE-2008-2725 [CRITICAL] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Ruby vulnerabilities
Drew Yao discovered several vulnerabilities in Ruby which lead to integer
overflows. If a user or automated system were tricked into running a
malicious script, an attacker could cause a denial of service or execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726)
Drew Yao discovered that Ruby did not sanitize its input when using ALLOCA.
If a user or automated system were tricked into running a malicious script,
an attacker could cause a denial of service via memory corruption.
(CVE-2008-2664)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen
vendor_redhat·2008-06-20·CVSS 7.8
CVE-2008-2726 [HIGH] CWE-190 ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen
ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen
Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption, aka the "beg + rlen" issue. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2008-2726 ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen
bugzilla·2008-06-17·CVSS 7.8
CVE-2008-2726 [HIGH] CVE-2008-2726 ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen
CVE-2008-2726 ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen
Drew Yao of the Apple Product Security team reported an integer overflow leading
to a bypass of memory re-allocation causing a heap overflow in the
rb_ary_splice() function used by ruby interpreter for handling arrays.
Problematic addition that may overflow:
if (beg >= RARRAY(ary)->len) {
--> len = beg + rlen;
if (len >= RARRAY(ary)->aux.capa) {
REALLOC_N(RARRAY(ary)->ptr, VALUE, len);
The addition may overflow causing len to be negative and due to that, REALLOC_N
is not called.
This flaw can be used to crash and possibly execute arbitrary code with the
privileges of Ruby application which use untrusted input in array operations.
Acknowledgements:
Red Hat would like to thank Drew Yao of the Apple Prod
Bugzilla
CVE-2008-2728 ruby: integer overflow in rb_ary_replace() (ruby-1.6.x) - beg + rlen
bugzilla·2008-06-17·CVSS 7.8
CVE-2008-2728 [HIGH] CVE-2008-2728 ruby: integer overflow in rb_ary_replace() (ruby-1.6.x) - beg + rlen
CVE-2008-2728 ruby: integer overflow in rb_ary_replace() (ruby-1.6.x) - beg + rlen
Drew Yao of the Apple Product Security team reported an integer overflow leading
to a bypass of memory re-allocation causing a heap overflow in the
rb_ary_splice() function used by ruby interpreter for handling arrays. For
details, see:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2726
Ruby 1.6.x does not have rb_ary_splice(), but the same vulnerable code exists in
the rb_ary_replace() function. This issue is a ruby 1.6.x equivalent of
CVE-2008-2726.
Discussion:
Drew Yao's patch for rb_ary_splice():
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2725#c1
---
Public now, lifting embargo:
http://preview.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities
Patches appl
Bugzilla
CVE-2008-2662 ruby: Integer overflows in rb_str_buf_append()
bugzilla·2008-06-11·CVSS 10.0
CVE-2008-2662 [CRITICAL] CVE-2008-2662 ruby: Integer overflows in rb_str_buf_append()
CVE-2008-2662 ruby: Integer overflows in rb_str_buf_append()
Drew Yao of the Apple Product Security team reported an integer overflow leading
to a memory mis-allocation and heap overflow in the rb_str_buf_append() function
used by ruby interpreter for handling strings. This can be used to crash and
possibly execute arbitrary code with the privileges of Ruby application which
use untrusted input in string operations.
Acknowledgements:
Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.
Discussion:
Created attachment 308901
Drew Yao's proposed patch agains ruby 1.8.5
---
Created attachment 308902
Drew Yao's proposed patch agains ruby 1.9
---
Created attachment 309653
Upstream patch against 1.8.6
Upstream patch for CVE-2008-266[234], CVE
http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.htmlhttp://secunia.com/advisories/30802http://secunia.com/advisories/30831http://secunia.com/advisories/30867http://secunia.com/advisories/30875http://secunia.com/advisories/30894http://secunia.com/advisories/31062http://secunia.com/advisories/31090http://secunia.com/advisories/31181http://secunia.com/advisories/31256http://secunia.com/advisories/31687http://secunia.com/advisories/33178http://security.gentoo.org/glsa/glsa-200812-17.xmlhttp://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562http://support.apple.com/kb/HT2163http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17460http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilitieshttp://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206http://www.debian.org/security/2008/dsa-1612http://www.debian.org/security/2008/dsa-1618http://www.mandriva.com/security/advisories?name=MDVSA-2008:140http://www.mandriva.com/security/advisories?name=MDVSA-2008:141http://www.mandriva.com/security/advisories?name=MDVSA-2008:142http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/http://www.redhat.com/archives/fedora-security-commits/2008-June/msg00005.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0561.htmlhttp://www.ruby-forum.com/topic/157034http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.htmlhttp://www.securityfocus.com/archive/1/493688/100/0/threadedhttp://www.securityfocus.com/bid/29903http://www.securitytracker.com/id?1020347http://www.ubuntu.com/usn/usn-621-1http://www.vupen.com/english/advisories/2008/1907/referenceshttp://www.vupen.com/english/advisories/2008/1981/referenceshttp://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.htmlhttps://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/241657https://exchange.xforce.ibmcloud.com/vulnerabilities/43351https://issues.rpath.com/browse/RPL-2626https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9959https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.htmlhttp://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.htmlhttp://secunia.com/advisories/30802http://secunia.com/advisories/30831http://secunia.com/advisories/30867http://secunia.com/advisories/30875http://secunia.com/advisories/30894http://secunia.com/advisories/31062http://secunia.com/advisories/31090http://secunia.com/advisories/31181http://secunia.com/advisories/31256http://secunia.com/advisories/31687http://secunia.com/advisories/33178http://security.gentoo.org/glsa/glsa-200812-17.xmlhttp://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562http://support.apple.com/kb/HT2163http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17460http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilitieshttp://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206http://www.debian.org/security/2008/dsa-1612http://www.debian.org/security/2008/dsa-1618http://www.mandriva.com/security/advisories?name=MDVSA-2008:140http://www.mandriva.com/security/advisories?name=MDVSA-2008:141http://www.mandriva.com/security/advisories?name=MDVSA-2008:142http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/http://www.redhat.com/archives/fedora-security-commits/2008-June/msg00005.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0561.htmlhttp://www.ruby-forum.com/topic/157034http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.htmlhttp://www.securityfocus.com/archive/1/493688/100/0/threadedhttp://www.securityfocus.com/bid/29903http://www.securitytracker.com/id?1020347http://www.ubuntu.com/usn/usn-621-1http://www.vupen.com/english/advisories/2008/1907/referenceshttp://www.vupen.com/english/advisories/2008/1981/referenceshttp://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.htmlhttps://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/241657https://exchange.xforce.ibmcloud.com/vulnerabilities/43351https://issues.rpath.com/browse/RPL-2626https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9959https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html
2008-06-24
Published