Security Advisory Critical: ruby193-ruby security update

Advisory: RHSA-2013:1763-1
Type: Security Advisory
Severity: Critical
Issued on: 2013-11-25
Last updated on: 2013-11-25
Affected Products: Red Hat Software Collections 1 for RHEL 6
CVEs (cve.mitre.org): CVE-2013-4164

Details

Updated ruby193-ruby packages that fix one security issue are now available
for Red Hat Software Collections 1.

The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language.
It has features to process text files and to perform system management
tasks.

A buffer overflow flaw was found in the way Ruby parsed floating point
numbers from their text representation. If an application using Ruby
accepted untrusted input strings and converted them to floating point
numbers, an attacker able to provide such input could cause the application
to crash or, possibly, execute arbitrary code with the privileges of the
application. (CVE-2013-4164)

All ruby193-ruby users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Software Collections 1 for RHEL 6

SRPMS:
ruby193-ruby-1.9.3.448-40.1.el6.src.rpm
File outdated by:  RHSA-2014:1913
    MD5: d86952d9250c56b8268eedb18d6319be
SHA-256: 7b3e951d58225c7ccd26d19969e7b0a9a21462d8336ce6ac0b42e25458abbdc4
 
x86_64:
ruby193-ruby-1.9.3.448-40.1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0619
    MD5: de58044ee00cfd0861d06354fc6336da
SHA-256: f938ea64d932262df0d684e50aa3293fd0faef4631c8099b98e29b605d95b895
ruby193-ruby-debuginfo-1.9.3.448-40.1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0619
    MD5: 4f7c4ffa0b793979d39f0cea4544ea0a
SHA-256: 4edf30107e5af4cc13b763e27ab21495dde793646cb8d97552d68d45d7648a73
ruby193-ruby-devel-1.9.3.448-40.1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0619
    MD5: 9b7b0ac70d8c20a608cee1d55c940208
SHA-256: ca93a2ccd6a271ebb4588e6d45943f574896daaf3a5fe22dc9a6776859a5356a
ruby193-ruby-doc-1.9.3.448-40.1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0619
    MD5: d1c04b9de6d027468112ff7fc799cb10
SHA-256: 10d83ec200263084a2137b22ae6614fd24921d7b68dce90b0b68c0b069083e7c
ruby193-ruby-irb-1.9.3.448-40.1.el6.noarch.rpm
File outdated by:  RHBA-2014:0619
    MD5: 52234609fb10065e357d9ef992f4bdd6
SHA-256: 6b0c7ac9cd2fd4a18e5296f93abbe0536b77aefe715bc1ee53981fa21e0e851f
ruby193-ruby-libs-1.9.3.448-40.1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0619
    MD5: 57e4e2be633975347953f035e93cae80
SHA-256: 5e211abd18121bfd02b03822c5f4d405aeb5b3d35e8d7df1b0830043171fbc73
ruby193-ruby-tcltk-1.9.3.448-40.1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0619
    MD5: 00376ad59a6822bb03c558d1c01b33dc
SHA-256: 21af1c2ee8aa8256927eb987590b9b4d50e413d0db6b4c428e3924b389b3d464
ruby193-rubygem-bigdecimal-1.1.0-40.1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0619
    MD5: c566ba53995e59cc736c1f69d100ac96
SHA-256: 7790f6b672765b289c6d36bf38abf6b09b3fe00bc05b6b5d05184ca371b76c0d
ruby193-rubygem-io-console-0.3-40.1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0619
    MD5: c99d496b07b3daf3048998babb595474
SHA-256: 87a0276bdd7ff1e05f3a6349369a836cb19fac67d69c4afab5fd100bc0fd7270
ruby193-rubygem-json-1.5.5-40.1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0619
    MD5: 5384387cd8d0573811d4095da87da36f
SHA-256: 968d3d6a781e0a971b891a153a928d085724491ca6fdbd48eb4aae49be7c391e
ruby193-rubygem-minitest-2.5.1-40.1.el6.noarch.rpm
File outdated by:  RHBA-2014:0619
    MD5: 6c476ceefc4bb1c76936ef3f99d44ec8
SHA-256: e8cfc79954df4a551771f601c3944a3a79f6c2f491eff881942d2168c6553749
ruby193-rubygem-rake-0.9.2.2-40.1.el6.noarch.rpm
File outdated by:  RHBA-2014:0619
    MD5: a89288509e524b7be051aa1a12a80aa2
SHA-256: 0f4904ec95905ab20b30add04a957cc1862cab7bac106ad97a85969b466f9388
ruby193-rubygem-rdoc-3.9.5-40.1.el6.x86_64.rpm
File outdated by:  RHBA-2014:0619
    MD5: 4671f62b6e22805715666812f13326de
SHA-256: f8ffa09febd9490c73516a64f8a6af54f8a9ee5a1fc5a4f10648e709f762f143
ruby193-rubygems-1.8.23-40.1.el6.noarch.rpm
File outdated by:  RHBA-2014:0619
    MD5: 030185bd8b3c3cd6f84e5982e500d6cc
SHA-256: 7b25b3af1a41d7f94ff1056e245d1c18df90323a80f7f507c9894a9bf2b5b445
ruby193-rubygems-devel-1.8.23-40.1.el6.noarch.rpm
File outdated by:  RHBA-2014:0619
    MD5: 50faacdfe5bfa4a9cf780324b5ce996e
SHA-256: a0bc37555ccf72b8055b14d55e714941673fa5ac1333dd0329baffb5afcc005b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1033460 - CVE-2013-4164 ruby: heap overflow in floating point parsing


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/