DSA 1612-1: New ruby1.8 packages fix several vulnerabilities  

Posted by Daniela Mehler

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:
"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1612-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
July 21, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : ruby1.8
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 CVE-2008-2376

Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may lead to denial of service or the
execution of arbitrary code. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2006-2662

Drew Yao discovered that multiple integer overflows in the string
processing code may lead to denial of service and potentially the
execution of arbitrary code.

CVE-2008-2663

Drew Yao discovered that multiple integer overflows in the string
processing code may lead to denial of service and potentially the
execution of arbitrary code.

CVE-2008-2664

Drew Yao discovered that a programming error in the string
processing code may lead to denial of service and potentially the
execution of arbitrary code.

CVE-2008-2725

Drew Yao discovered that an integer overflow in the array handling
code may lead to denial of service and potentially the execution
of arbitrary code.

CVE-2008-2726

Drew Yao discovered that an integer overflow in the array handling
code may lead to denial of service and potentially the execution
of arbitrary code.

CVE-2008-2376

It was discovered that an integer overflow in the array handling
code may lead to denial of service and potentially the execution
of arbitrary code.

For the stable distribution (etch), these problems have been fixed in
version 1.8.5-4etch2.

For the unstable distribution (sid), these problems have been fixed in
version 1.8.7.22-2.

We recommend that you upgrade your ruby1.8 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for amd64, arm, hppa, i386, ia64, mipsel, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5.orig.tar.gz
Size/MD5 checksum: 4434227 aae9676332fcdd52f66c3d99b289878f
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2.diff.gz
Size/MD5 checksum: 100878 f55f4e2a0ca298d6312a8e3c4618da0f
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2.dsc
Size/MD5 checksum: 1079 02286e0f1885c65a9d1fdad5bd933ac7

Architecture independent packages:

http://security.debian.org/pool/updates/main/r/ruby1.8/rdoc1.8_1.8.5-4etch2_all.deb
Size/MD5 checksum: 309932 0d08bd3d9b467f82df59811dcb4ffd10
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-elisp_1.8.5-4etch2_all.deb
Size/MD5 checksum: 209874 76ab42ff282540121b1ffa23b8c34208
http://security.debian.org/pool/updates/main/r/ruby1.8/irb1.8_1.8.5-4etch2_all.deb
Size/MD5 checksum: 235238 d1f242b11d00199ecedf64cac2c6ac44
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-examples_1.8.5-4etch2_all.deb
Size/MD5 checksum: 242330 11359f9774006c02ca68402b1a6c021e
http://security.debian.org/pool/updates/main/r/ruby1.8/ri1.8_1.8.5-4etch2_all.deb
Size/MD5 checksum: 1228716 cacd1dfc0b53e163adf3090175d85260

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_amd64.deb
Size/MD5 checksum: 302500 42fb912eed252ddf0c0e0d1ded838375
http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_amd64.deb
Size/MD5 checksum: 197696 9388576f466a8d757a261653be326a64
http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_amd64.deb
Size/MD5 checksum: 198304 6dd9e7ffc83e0a343acc5d9360233724
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_amd64.deb
Size/MD5 checksum: 1584450 7bfff8f2effc86fefd21cad2ad7aefe2
http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_amd64.deb
Size/MD5 checksum: 197264 34559ddb2772bd4e4b4e9438da43b012
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_amd64.deb
Size/MD5 checksum: 1068156 13587924fe8611ee3248d69615b77ff9
http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_amd64.deb
Size/MD5 checksum: 1863884 c9f007e6a0388f91463d422e9f88af00
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_amd64.deb
Size/MD5 checksum: 748210 55373ce2ec797ad0334761d19e21ed04
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_amd64.deb
Size/MD5 checksum: 216876 c45424af2eff7d0894d8b45f02531ae0

arm architecture (ARM)

http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_arm.deb
Size/MD5 checksum: 196940 a62011688ef13cbc74632695d8360744
http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_arm.deb
Size/MD5 checksum: 197322 edf088cbecf6685fcd8455b9f787e207
http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_arm.deb
Size/MD5 checksum: 1858580 7ccb22d6b10c2d2f8016c4a37488354e
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_arm.deb
Size/MD5 checksum: 1524706 458dc14e9530cf12e2c109001ee6f502
http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_arm.deb
Size/MD5 checksum: 196234 0b8141526f878fb32dd041d36dfe438d
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_arm.deb
Size/MD5 checksum: 992648 fbaf16530fa84811a4f5c6ef1c3f1396
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_arm.deb
Size/MD5 checksum: 218902 6fed18d07c5589012711dcffd2c47654
http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_arm.deb
Size/MD5 checksum: 287070 e24374581f184cb912ab1c2904de4c52
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_arm.deb
Size/MD5 checksum: 696944 8a4a676931c6659d266f834e32ff3473

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_hppa.deb
Size/MD5 checksum: 198692 837006b2872f955dd9ec506e913e7b65
http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_hppa.deb
Size/MD5 checksum: 1868624 391adcb7da667e079e38b31957639921
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_hppa.deb
Size/MD5 checksum: 218760 9257f4fc3685c20dfea925a3b375df6c
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_hppa.deb
Size/MD5 checksum: 1041804 7617254859485b415d7abe4e44f97e20
http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_hppa.deb
Size/MD5 checksum: 199398 8de28dbbcaccd932cdf4b1368de85fa3
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_hppa.deb
Size/MD5 checksum: 1675058 d4d8d05f55e84ac811a4a23379d2fccf
http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_hppa.deb
Size/MD5 checksum: 315826 5ba45a9cab7c98a9863790f0ddb5e032
http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_hppa.deb
Size/MD5 checksum: 199712 7eba9eec4404e39ba3a05d0ba7182aaf
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_hppa.deb
Size/MD5 checksum: 823768 c5872e31690ebf1f937ae5921e09d6ee

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_i386.deb
Size/MD5 checksum: 197152 cc0255b2d30f2868b3a35131baea785e
http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_i386.deb
Size/MD5 checksum: 197458 23448fa802f56b0353e146dd95798b40
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_i386.deb
Size/MD5 checksum: 1529512 e554018801428fcc8a0eb270cecbe0a1
http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_i386.deb
Size/MD5 checksum: 1830888 cfe09cb1dee2dc0ec663b764016c5c41
http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_i386.deb
Size/MD5 checksum: 292002 669ff5d31b18e684695fcc585bbcf37d
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_i386.deb
Size/MD5 checksum: 217452 fd84d502e12c0ed9dcb9931533bedf14
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_i386.deb
Size/MD5 checksum: 719152 eb2bb629d207bdb94513224cd696133a
http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_i386.deb
Size/MD5 checksum: 197870 8dda63e50264e70657c900bf0e31268a
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_i386.deb
Size/MD5 checksum: 1002688 9f9723f995389d89c8edff650cd80572

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_ia64.deb
Size/MD5 checksum: 1861398 da0a8b6f595234f6362108c53d4b8527
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_ia64.deb
Size/MD5 checksum: 971210 96f9b9c22c86efba9a9677ff97543ba7
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_ia64.deb
Size/MD5 checksum: 1025826 a0282c8d5148ee5530ddcb1918aa6393
http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_ia64.deb
Size/MD5 checksum: 202014 60855e63b50d60c6446699ca8a9e5f9a
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_ia64.deb
Size/MD5 checksum: 1893652 99e42c9ff74db67737bc1037a668bd81
http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_ia64.deb
Size/MD5 checksum: 201044 53faf98cdde5801097f06c669ef31997
http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_ia64.deb
Size/MD5 checksum: 202966 d5ad616f41e4c71fcab98abc32af8425
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_ia64.deb
Size/MD5 checksum: 218178 814d14acfbc5060ce05f5610185bacef
http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_ia64.deb
Size/MD5 checksum: 330138 87b96dd77f226d1b156aa41cbd50e869

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_mipsel.deb
Size/MD5 checksum: 217702 035d0564ca69caf6291f91b396afd933
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_mipsel.deb
Size/MD5 checksum: 1059672 ae82660099169f05b832ea65b5875f42
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_mipsel.deb
Size/MD5 checksum: 792918 6daa1c239c1875477c369d662c1c7990
http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_mipsel.deb
Size/MD5 checksum: 278810 b1ef2497c40951b0f55afbeb9b2b5a73
http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_mipsel.deb
Size/MD5 checksum: 197272 ca8b731d68d2ef0ecab3f8d46421e390
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_mipsel.deb
Size/MD5 checksum: 1536298 72ed58d1217e07ec4ff4c536e426b112
http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_mipsel.deb
Size/MD5 checksum: 197624 77f168b7b16d958921c399ec2fb2c55d
http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_mipsel.deb
Size/MD5 checksum: 1829844 d73c28a07fc670c515d35e5f4cc460de
http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_mipsel.deb
Size/MD5 checksum: 196686 7a50283b0c21e6c374254274587a250c

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_s390.deb
Size/MD5 checksum: 217566 ff62230e9213127217ba40da20bc6dbb
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_s390.deb
Size/MD5 checksum: 778968 84b097fa479926caef58f0cde5c6cc58
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_s390.deb
Size/MD5 checksum: 1051808 c06ced9c1c2cf67d499266ce98809448
http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_s390.deb
Size/MD5 checksum: 198216 9ebd6482767e58cfc7b77778a48dc54b
http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_s390.deb
Size/MD5 checksum: 304860 1609587558238fabdafff4f25fab5693
http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_s390.deb
Size/MD5 checksum: 1838646 b969d38b082b4554e2a68784a872d32f
http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_s390.deb
Size/MD5 checksum: 198530 6e9d131297d20789402f06b598bf31a5
http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_s390.deb
Size/MD5 checksum: 199016 d365604deac86ffe016706a4d53a41f8
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_s390.deb
Size/MD5 checksum: 1617614 d136348e15e9c521e9df47c4725cae99

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_sparc.deb
Size/MD5 checksum: 197476 5ad505e06bfd48a7a52d31b04282ce75
http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_sparc.deb
Size/MD5 checksum: 295616 6999ddde1719965f55cb431435c77ac6
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2_sparc.deb
Size/MD5 checksum: 217478 6ffe8d27ff16d0d885bd41e8cf5356e2
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch2_sparc.deb
Size/MD5 checksum: 740760 1a9e73da21a894b10ebdd88675340247
http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_sparc.deb
Size/MD5 checksum: 197526 329124a906b7eb6ba13c30864ff59373
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_sparc.deb
Size/MD5 checksum: 1540818 b827798d6293c28046527b96b733818b
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch2_sparc.deb
Size/MD5 checksum: 961112 efe54a61cd55bf6f7de9417941795f29
http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_sparc.deb
Size/MD5 checksum: 196756 c4741cba5f54a703cdcba0fe027a6468
http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch2_sparc.deb
Size/MD5 checksum: 1832852 8286b329ab1bad7793d827e33bae56c2


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiExyoACgkQXm3vHE4uylr78ACeOa2BZ0S0v6p3UdDgFfxo0nWa
jvsAoLdoZOW1Cc/IUHDwdIS5VysR9OEl
=qBFn
-----END PGP SIGNATURE-----
"


DSA 1587-1: New mtr packages fix execution of arbitrary code
DSA 1577-1: New gforge packages fix insecure temporary files
Apple ships massive Mac OS X 10.4 security upgrade

This entry was posted on 4:53 AM .