Vulnerabilidad en función rb_str_buf_append de Ruby (CVE-2008-2662)
Gravedad CVSS v2.0:
ALTA
Tipo:
CWE-189
Errores numéricos
Fecha de publicación:
24/06/2008
Última modificación:
09/04/2025
Descripción
Múltiples desbordamientos de entero en la función rb_str_buf_append de Ruby 1.8.4 y anteriores, 1.8.5 antes de 1.8.5-p231, 1.8.6 anterior a 1.8.6-p230, 1.8.7 anterior a 1.8.7-p22 y 1.9.0 antes de 1.9.0-2 permite a atacantes dependientes del contexto ejecutar código de su elección o provocar una denegación de servicio mediante vectores desconocidos que disparan una corrupción de memoria, un problema distinto a CVE-2008-2663, CVE-2008-2664 y CVE-2008-2725. NOTA: a fecha de 24-06-2008, ha habido un uso inconsistente de múltiples identificadores CVE relacionados con Ruby. Esta descripción CVE debe ser tomada como autorizado, aunque probablemente cambie.
Impacto
Puntuación base 2.0
10.00
Gravedad 2.0
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* | 1.8.4 (incluyendo) | |
| cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* | 1.8.5 (excluyendo) | 1.8.5.231 (excluyendo) |
| cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* | 1.8.6 (incluyendo) | 1.8.6.230 (excluyendo) |
| cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* | 1.8.7 (incluyendo) | 1.8.7.22 (excluyendo) |
| cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* | 1.9.0 (incluyendo) | 1.9.0.2 (excluyendo) |
| cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:lts:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/
- http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html
- http://secunia.com/advisories/30802
- http://secunia.com/advisories/30831
- http://secunia.com/advisories/30867
- http://secunia.com/advisories/30875
- http://secunia.com/advisories/30894
- http://secunia.com/advisories/31062
- http://secunia.com/advisories/31181
- http://secunia.com/advisories/31256
- http://secunia.com/advisories/31687
- http://secunia.com/advisories/33178
- http://security.gentoo.org/glsa/glsa-200812-17.xml
- http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562
- http://support.apple.com/kb/HT2163
- http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206
- http://www.debian.org/security/2008/dsa-1612
- http://www.debian.org/security/2008/dsa-1618
- http://www.mandriva.com/security/advisories?name=MDVSA-2008%3A140
- http://www.mandriva.com/security/advisories?name=MDVSA-2008%3A141
- http://www.mandriva.com/security/advisories?name=MDVSA-2008%3A142
- http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/
- http://www.redhat.com/support/errata/RHSA-2008-0561.html
- http://www.ruby-forum.com/topic/157034
- http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/
- http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html
- http://www.securityfocus.com/archive/1/493688/100/0/threaded
- http://www.securityfocus.com/bid/29903
- http://www.securitytracker.com/id?1020347=
- http://www.ubuntu.com/usn/usn-621-1
- http://www.vupen.com/english/advisories/2008/1907/references
- http://www.vupen.com/english/advisories/2008/1981/references
- http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/43345
- https://issues.rpath.com/browse/RPL-2626
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11601
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html
- http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/
- http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html
- http://secunia.com/advisories/30802
- http://secunia.com/advisories/30831
- http://secunia.com/advisories/30867
- http://secunia.com/advisories/30875
- http://secunia.com/advisories/30894
- http://secunia.com/advisories/31062
- http://secunia.com/advisories/31181
- http://secunia.com/advisories/31256
- http://secunia.com/advisories/31687
- http://secunia.com/advisories/33178
- http://security.gentoo.org/glsa/glsa-200812-17.xml
- http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562
- http://support.apple.com/kb/HT2163
- http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206
- http://www.debian.org/security/2008/dsa-1612
- http://www.debian.org/security/2008/dsa-1618
- http://www.mandriva.com/security/advisories?name=MDVSA-2008%3A140
- http://www.mandriva.com/security/advisories?name=MDVSA-2008%3A141
- http://www.mandriva.com/security/advisories?name=MDVSA-2008%3A142
- http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/
- http://www.redhat.com/support/errata/RHSA-2008-0561.html
- http://www.ruby-forum.com/topic/157034
- http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/
- http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html
- http://www.securityfocus.com/archive/1/493688/100/0/threaded
- http://www.securityfocus.com/bid/29903
- http://www.securitytracker.com/id?1020347=
- http://www.ubuntu.com/usn/usn-621-1
- http://www.vupen.com/english/advisories/2008/1907/references
- http://www.vupen.com/english/advisories/2008/1981/references
- http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/43345
- https://issues.rpath.com/browse/RPL-2626
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11601
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html