ID CVE-2008-2376
Summary Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows.
References
Vulnerable Configurations
  • cpe:2.3:o:redhat:fedora_8:1.8.6.230:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:fedora_8:1.8.6.230:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.6.230:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.6.230:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 13-02-2023 - 02:19)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
oval via4
accepted 2013-04-29T04:22:51.987-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows.
family unix
id oval:org.mitre.oval:def:9863
status accepted
submitted 2010-07-09T03:56:16-04:00
title Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows.
version 30
redhat via4
advisories
rhsa
id RHSA-2008:0561
rpms
  • irb-0:1.8.1-7.el4_6.1
  • ruby-0:1.8.1-7.el4_6.1
  • ruby-0:1.8.5-5.el5_2.3
  • ruby-debuginfo-0:1.8.1-7.el4_6.1
  • ruby-debuginfo-0:1.8.5-5.el5_2.3
  • ruby-devel-0:1.8.1-7.el4_6.1
  • ruby-devel-0:1.8.5-5.el5_2.3
  • ruby-docs-0:1.8.1-7.el4_6.1
  • ruby-docs-0:1.8.5-5.el5_2.3
  • ruby-irb-0:1.8.5-5.el5_2.3
  • ruby-libs-0:1.8.1-7.el4_6.1
  • ruby-libs-0:1.8.5-5.el5_2.3
  • ruby-mode-0:1.8.1-7.el4_6.1
  • ruby-mode-0:1.8.5-5.el5_2.3
  • ruby-rdoc-0:1.8.5-5.el5_2.3
  • ruby-ri-0:1.8.5-5.el5_2.3
  • ruby-tcltk-0:1.8.1-7.el4_6.1
  • ruby-tcltk-0:1.8.5-5.el5_2.3
  • irb-0:1.6.4-6.el2
  • irb-0:1.6.8-12.el3
  • ruby-0:1.6.4-6.el2
  • ruby-0:1.6.8-12.el3
  • ruby-debuginfo-0:1.6.8-12.el3
  • ruby-devel-0:1.6.4-6.el2
  • ruby-devel-0:1.6.8-12.el3
  • ruby-docs-0:1.6.4-6.el2
  • ruby-docs-0:1.6.8-12.el3
  • ruby-libs-0:1.6.4-6.el2
  • ruby-libs-0:1.6.8-12.el3
  • ruby-mode-0:1.6.8-12.el3
  • ruby-tcltk-0:1.6.4-6.el2
  • ruby-tcltk-0:1.6.8-12.el3
refmap via4
apple APPLE-SA-2008-09-15
bugtraq 20080708 rPSA-2008-0218-1 ruby
cert TA08-260A
confirm
debian
  • DSA-1612
  • DSA-1618
fedora
  • FEDORA-2008-6033
  • FEDORA-2008-6094
gentoo GLSA-200812-17
mandriva
  • MDVSA-2008:140
  • MDVSA-2008:141
  • MDVSA-2008:142
mlist [oss-security] 20080702 More ruby integer overflows (rb_ary_fill / Array#fill)
secunia
  • 30927
  • 31006
  • 31062
  • 31090
  • 31181
  • 31256
  • 32219
  • 33178
ubuntu USN-651-1
vupen ADV-2008-2584
Last major update 13-02-2023 - 02:19
Published 09-07-2008 - 00:41
Last modified 13-02-2023 - 02:19
Back to Top