Security Advisory Moderate: ruby security update

Advisory: RHSA-2008:0896-5
Type: Security Advisory
Severity: Moderate
Issued on: 2008-10-21
Last updated on: 2008-10-21
Affected Products: Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
OVAL: com.redhat.rhsa-20080896.xml
CVEs (cve.mitre.org): CVE-2008-3443
CVE-2008-3655
CVE-2008-3905

Details

Updated ruby packages that fix several security issues are now available
for Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Ruby is an interpreted scripting language for quick and easy
object-oriented programming.

The Ruby DNS resolver library, resolv.rb, used predictable transaction IDs
and a fixed source port when sending DNS requests. A remote attacker could
use this flaw to spoof a malicious reply to a DNS query. (CVE-2008-3905)

A number of flaws were found in the safe-level restrictions in Ruby. It
was possible for an attacker to create a carefully crafted malicious script
that can allow the bypass of certain safe-level restrictions. (CVE-2008-3655)

A denial of service flaw was found in Ruby's regular expression engine. If
a Ruby script tried to process a large amount of data via a regular
expression, it could cause Ruby to enter an infinite-loop and crash.
(CVE-2008-3443)

Users of ruby should upgrade to these updated packages, which contain
backported patches to resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 3)
SRPMS:
ruby-1.6.8-13.el3.src.rpm     e9c9caee90c314f8758ad857bf649cf3
 
IA-32:
irb-1.6.8-13.el3.i386.rpm     074b151adef2f998efc05d6671dc5c76
ruby-1.6.8-13.el3.i386.rpm     3bbb86e368e286824d9e780d57d3ae80
ruby-devel-1.6.8-13.el3.i386.rpm     1b9e1a072e9d99ad454d8cf343552ff5
ruby-docs-1.6.8-13.el3.i386.rpm     52b2635a4c25a4ce24954cc2359b1606
ruby-libs-1.6.8-13.el3.i386.rpm     24c5b2bc5122e70250ba4a9c0a6d2935
ruby-mode-1.6.8-13.el3.i386.rpm     054aa7431ffbae39327ce6dc40a5c588
ruby-tcltk-1.6.8-13.el3.i386.rpm     d70feeaa2596cfe9733cdc3a5b9afe23
 
x86_64:
irb-1.6.8-13.el3.x86_64.rpm     b0d8a5981be5376669c1b03787381cf8
ruby-1.6.8-13.el3.x86_64.rpm     3d79bbdddfc242143abe3e9600de3d83
ruby-devel-1.6.8-13.el3.x86_64.rpm     f3db525f0a11279f12daa282f27f3d0d
ruby-docs-1.6.8-13.el3.x86_64.rpm     b192ecd2984fff73bdda49608e870cbf
ruby-libs-1.6.8-13.el3.i386.rpm     24c5b2bc5122e70250ba4a9c0a6d2935
ruby-libs-1.6.8-13.el3.x86_64.rpm     7ed348af4e32e002b68fb1535c2ee580
ruby-mode-1.6.8-13.el3.x86_64.rpm     d6e9cfee9242720012b4c2a102f073ef
ruby-tcltk-1.6.8-13.el3.x86_64.rpm     470ea72fbe7737a382da857584b4b8a2
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
ruby-1.6.8-13.el3.src.rpm     e9c9caee90c314f8758ad857bf649cf3
 
IA-32:
irb-1.6.8-13.el3.i386.rpm     074b151adef2f998efc05d6671dc5c76
ruby-1.6.8-13.el3.i386.rpm     3bbb86e368e286824d9e780d57d3ae80
ruby-devel-1.6.8-13.el3.i386.rpm     1b9e1a072e9d99ad454d8cf343552ff5
ruby-docs-1.6.8-13.el3.i386.rpm     52b2635a4c25a4ce24954cc2359b1606
ruby-libs-1.6.8-13.el3.i386.rpm     24c5b2bc5122e70250ba4a9c0a6d2935
ruby-mode-1.6.8-13.el3.i386.rpm     054aa7431ffbae39327ce6dc40a5c588
ruby-tcltk-1.6.8-13.el3.i386.rpm     d70feeaa2596cfe9733cdc3a5b9afe23
 
IA-64:
irb-1.6.8-13.el3.ia64.rpm     6016832fa55a87e75e6ab546a018bb4c
ruby-1.6.8-13.el3.ia64.rpm     7894a2f7fb7e7a5209009f0cd79f0c24
ruby-devel-1.6.8-13.el3.ia64.rpm     a571229ab311b6513a6dbfc965ee836e
ruby-docs-1.6.8-13.el3.ia64.rpm     7f0b6dfe9f2da361a026ef810864de1d
ruby-libs-1.6.8-13.el3.i386.rpm     24c5b2bc5122e70250ba4a9c0a6d2935
ruby-libs-1.6.8-13.el3.ia64.rpm     f1921732284c2dafd0ea060bcd97658e
ruby-mode-1.6.8-13.el3.ia64.rpm     72221db6863c5577cddc03ddb35a6bc6
ruby-tcltk-1.6.8-13.el3.ia64.rpm     0bcb0ae70a7acd514aac98f9f64aed18
 
PPC:
irb-1.6.8-13.el3.ppc.rpm     657e4d63cf1f7293358069c130e422ed
ruby-1.6.8-13.el3.ppc.rpm     e73cb176c11f044c38d1bb076f42e55c
ruby-devel-1.6.8-13.el3.ppc.rpm     4e22f71e6f2bc84a1e900e907d4c34ec
ruby-docs-1.6.8-13.el3.ppc.rpm     e73f11e4c3dde12318016da1f3f4d78b
ruby-libs-1.6.8-13.el3.ppc.rpm     497538be76e9c951c480fc63d118bfba
ruby-libs-1.6.8-13.el3.ppc64.rpm     f21c869957d21a282608ceeaae564ad1
ruby-mode-1.6.8-13.el3.ppc.rpm     bc9d12c8499a7059615aafe50ccff175
ruby-tcltk-1.6.8-13.el3.ppc.rpm     13b977719a0a9fa5a2fd1af28c094a1a
 
s390:
irb-1.6.8-13.el3.s390.rpm     8e896e2d952516e7cefcd5f72214653a
ruby-1.6.8-13.el3.s390.rpm     a5779d1291c83bdc69394883e424adda
ruby-devel-1.6.8-13.el3.s390.rpm     8752301fc63d5692ce213f754c9f0569
ruby-docs-1.6.8-13.el3.s390.rpm     981cf2890a177b8df517ec728d01f0a2
ruby-libs-1.6.8-13.el3.s390.rpm     a16a9daf93c6418326e05920c961158d
ruby-mode-1.6.8-13.el3.s390.rpm     f985ac551f4e98201b8d484964015d60
ruby-tcltk-1.6.8-13.el3.s390.rpm     0816e860b0b7b76d0f3996584a7f5313
 
s390x:
irb-1.6.8-13.el3.s390x.rpm     038aa06793353381206e8647557140d6
ruby-1.6.8-13.el3.s390x.rpm     3ee6f974bd684e39c81e92256970793a
ruby-devel-1.6.8-13.el3.s390x.rpm     1b7305d4299dcbe3d48261a89ae4fcb4
ruby-docs-1.6.8-13.el3.s390x.rpm     8ca911c94c2e9389546f0a5d58fb1fb3
ruby-libs-1.6.8-13.el3.s390.rpm     a16a9daf93c6418326e05920c961158d
ruby-libs-1.6.8-13.el3.s390x.rpm     be734e7528dc9337f66cf2909b9ceb89
ruby-mode-1.6.8-13.el3.s390x.rpm     a67f3cbc1e74afde762513b33711b618
ruby-tcltk-1.6.8-13.el3.s390x.rpm     2caf1868f761c7379afd38dd2b601736
 
x86_64:
irb-1.6.8-13.el3.x86_64.rpm     b0d8a5981be5376669c1b03787381cf8
ruby-1.6.8-13.el3.x86_64.rpm     3d79bbdddfc242143abe3e9600de3d83
ruby-devel-1.6.8-13.el3.x86_64.rpm     f3db525f0a11279f12daa282f27f3d0d
ruby-docs-1.6.8-13.el3.x86_64.rpm     b192ecd2984fff73bdda49608e870cbf
ruby-libs-1.6.8-13.el3.i386.rpm     24c5b2bc5122e70250ba4a9c0a6d2935
ruby-libs-1.6.8-13.el3.x86_64.rpm     7ed348af4e32e002b68fb1535c2ee580
ruby-mode-1.6.8-13.el3.x86_64.rpm     d6e9cfee9242720012b4c2a102f073ef
ruby-tcltk-1.6.8-13.el3.x86_64.rpm     470ea72fbe7737a382da857584b4b8a2
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
ruby-1.6.8-13.el3.src.rpm     e9c9caee90c314f8758ad857bf649cf3
 
IA-32:
irb-1.6.8-13.el3.i386.rpm     074b151adef2f998efc05d6671dc5c76
ruby-1.6.8-13.el3.i386.rpm     3bbb86e368e286824d9e780d57d3ae80
ruby-devel-1.6.8-13.el3.i386.rpm     1b9e1a072e9d99ad454d8cf343552ff5
ruby-docs-1.6.8-13.el3.i386.rpm     52b2635a4c25a4ce24954cc2359b1606
ruby-libs-1.6.8-13.el3.i386.rpm     24c5b2bc5122e70250ba4a9c0a6d2935
ruby-mode-1.6.8-13.el3.i386.rpm     054aa7431ffbae39327ce6dc40a5c588
ruby-tcltk-1.6.8-13.el3.i386.rpm     d70feeaa2596cfe9733cdc3a5b9afe23
 
IA-64:
irb-1.6.8-13.el3.ia64.rpm     6016832fa55a87e75e6ab546a018bb4c
ruby-1.6.8-13.el3.ia64.rpm     7894a2f7fb7e7a5209009f0cd79f0c24
ruby-devel-1.6.8-13.el3.ia64.rpm     a571229ab311b6513a6dbfc965ee836e
ruby-docs-1.6.8-13.el3.ia64.rpm     7f0b6dfe9f2da361a026ef810864de1d
ruby-libs-1.6.8-13.el3.i386.rpm     24c5b2bc5122e70250ba4a9c0a6d2935
ruby-libs-1.6.8-13.el3.ia64.rpm     f1921732284c2dafd0ea060bcd97658e
ruby-mode-1.6.8-13.el3.ia64.rpm     72221db6863c5577cddc03ddb35a6bc6
ruby-tcltk-1.6.8-13.el3.ia64.rpm     0bcb0ae70a7acd514aac98f9f64aed18
 
x86_64:
irb-1.6.8-13.el3.x86_64.rpm     b0d8a5981be5376669c1b03787381cf8
ruby-1.6.8-13.el3.x86_64.rpm     3d79bbdddfc242143abe3e9600de3d83
ruby-devel-1.6.8-13.el3.x86_64.rpm     f3db525f0a11279f12daa282f27f3d0d
ruby-docs-1.6.8-13.el3.x86_64.rpm     b192ecd2984fff73bdda49608e870cbf
ruby-libs-1.6.8-13.el3.i386.rpm     24c5b2bc5122e70250ba4a9c0a6d2935
ruby-libs-1.6.8-13.el3.x86_64.rpm     7ed348af4e32e002b68fb1535c2ee580
ruby-mode-1.6.8-13.el3.x86_64.rpm     d6e9cfee9242720012b4c2a102f073ef
ruby-tcltk-1.6.8-13.el3.x86_64.rpm     470ea72fbe7737a382da857584b4b8a2
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
ruby-1.6.8-13.el3.src.rpm     e9c9caee90c314f8758ad857bf649cf3
 
IA-32:
irb-1.6.8-13.el3.i386.rpm     074b151adef2f998efc05d6671dc5c76
ruby-1.6.8-13.el3.i386.rpm     3bbb86e368e286824d9e780d57d3ae80
ruby-devel-1.6.8-13.el3.i386.rpm     1b9e1a072e9d99ad454d8cf343552ff5
ruby-docs-1.6.8-13.el3.i386.rpm     52b2635a4c25a4ce24954cc2359b1606
ruby-libs-1.6.8-13.el3.i386.rpm     24c5b2bc5122e70250ba4a9c0a6d2935
ruby-mode-1.6.8-13.el3.i386.rpm     054aa7431ffbae39327ce6dc40a5c588
ruby-tcltk-1.6.8-13.el3.i386.rpm     d70feeaa2596cfe9733cdc3a5b9afe23
 
IA-64:
irb-1.6.8-13.el3.ia64.rpm     6016832fa55a87e75e6ab546a018bb4c
ruby-1.6.8-13.el3.ia64.rpm     7894a2f7fb7e7a5209009f0cd79f0c24
ruby-devel-1.6.8-13.el3.ia64.rpm     a571229ab311b6513a6dbfc965ee836e
ruby-docs-1.6.8-13.el3.ia64.rpm     7f0b6dfe9f2da361a026ef810864de1d
ruby-libs-1.6.8-13.el3.i386.rpm     24c5b2bc5122e70250ba4a9c0a6d2935
ruby-libs-1.6.8-13.el3.ia64.rpm     f1921732284c2dafd0ea060bcd97658e
ruby-mode-1.6.8-13.el3.ia64.rpm     72221db6863c5577cddc03ddb35a6bc6
ruby-tcltk-1.6.8-13.el3.ia64.rpm     0bcb0ae70a7acd514aac98f9f64aed18
 
x86_64:
irb-1.6.8-13.el3.x86_64.rpm     b0d8a5981be5376669c1b03787381cf8
ruby-1.6.8-13.el3.x86_64.rpm     3d79bbdddfc242143abe3e9600de3d83
ruby-devel-1.6.8-13.el3.x86_64.rpm     f3db525f0a11279f12daa282f27f3d0d
ruby-docs-1.6.8-13.el3.x86_64.rpm     b192ecd2984fff73bdda49608e870cbf
ruby-libs-1.6.8-13.el3.i386.rpm     24c5b2bc5122e70250ba4a9c0a6d2935
ruby-libs-1.6.8-13.el3.x86_64.rpm     7ed348af4e32e002b68fb1535c2ee580
ruby-mode-1.6.8-13.el3.x86_64.rpm     d6e9cfee9242720012b4c2a102f073ef
ruby-tcltk-1.6.8-13.el3.x86_64.rpm     470ea72fbe7737a382da857584b4b8a2
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

458948 - CVE-2008-3655 ruby: multiple insufficient safe mode restrictions
459266 - CVE-2008-3443 ruby: Memory allocation failure in Ruby regex engine (remotely exploitable DoS)
461495 - CVE-2008-3905 ruby: use of predictable source port and transaction id in DNS requests done by resolv.rb module


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3655
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3905
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/