PublicDateAtUSN: 2008-06-24 PublicDate: 2008-06-24 19:41:00 UTC Candidate: CVE-2008-2663 References: http://preview.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities https://ubuntu.com/security/notices/USN-621-1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663 Description: Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. Ubuntu-Description: Notes: Bugs: Priority: medium Discovered-by: Drew Yao Assigned-to: jdstrand CVSS: Patches_ruby1.8: upstream_ruby1.8: released (1.8.7.22-1) dapper_ruby1.8: released (1.8.4-1ubuntu1.5) feisty_ruby1.8: released (1.8.5-4ubuntu2.2) gutsy_ruby1.8: released (1.8.6.36-1ubuntu3.2) hardy_ruby1.8: released (1.8.6.111-2ubuntu1.1) intrepid_ruby1.8: not-affected (1.8.7.22-1) jaunty_ruby1.8: not-affected (1.8.7.22-1) karmic_ruby1.8: not-affected (1.8.7.22-1) lucid_ruby1.8: not-affected (1.8.7.22-1) maverick_ruby1.8: not-affected (1.8.7.22-1) natty_ruby1.8: not-affected (1.8.7.22-1) oneiric_ruby1.8: not-affected (1.8.7.22-1) devel_ruby1.8: not-affected (1.8.7.22-1) Patches_ruby1.9: upstream_ruby1.9: released (1.9.0.2-1) dapper_ruby1.9: ignored (reached end-of-life) feisty_ruby1.9: needed (reached end-of-life) gutsy_ruby1.9: needed (reached end-of-life) hardy_ruby1.9: ignored (reached end-of-life) intrepid_ruby1.9: released (1.9.0.2-1ubuntu1) jaunty_ruby1.9: released (1.9.0.2-1ubuntu1) karmic_ruby1.9: released (1.9.0.2-1ubuntu1) lucid_ruby1.9: released (1.9.0.2-1ubuntu1) maverick_ruby1.9: DNE (pulled 2010-07-27) natty_ruby1.9: DNE (pulled 2010-07-27) oneiric_ruby1.9: DNE (pulled 2010-07-27) devel_ruby1.9: DNE (pulled 2010-07-27)