CVE编号
CVE-2008-2725利用情况
暂无补丁情况
临时补丁披露时间
2008-06-25漏洞描述
(1)Ruby 1.8.4及更早版本,1.8.5-p231之前的1.8.5,1.8.6-p230之前的1.8.6和1.8.7-p22之前的1.8.7中的rb_ary_splice函数, (2)1.6.x中的rb_ary_replace函数中的整数溢出允许依赖于上下文的攻击者通过未指定的向量触发内存损坏,也就是“REALLOC_N”变体,这是与CVE-2008-2662,CVE-2008-2663和 CVE-2008-2664不同的问题。注意:从20080624开始,与Ruby相关的多个CVE标识符的使用不一致。 CVE描述应被视为具有权威性,尽管它可能会发生变化。解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
---|---|
http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterp... | |
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html | |
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html | |
http://secunia.com/advisories/30802 | |
http://secunia.com/advisories/30831 | |
http://secunia.com/advisories/30867 | |
http://secunia.com/advisories/30875 | |
http://secunia.com/advisories/30894 | |
http://secunia.com/advisories/31062 | |
http://secunia.com/advisories/31090 | |
http://secunia.com/advisories/31181 | |
http://secunia.com/advisories/31256 | |
http://secunia.com/advisories/31687 | |
http://secunia.com/advisories/33178 | |
http://security.gentoo.org/glsa/glsa-200812-17.xml | |
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackw... | |
http://support.apple.com/kb/HT2163 | |
http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities | |
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206 | |
http://www.debian.org/security/2008/dsa-1612 | |
http://www.debian.org/security/2008/dsa-1618 | |
http://www.mandriva.com/security/advisories?name=MDVSA-2008:140 | |
http://www.mandriva.com/security/advisories?name=MDVSA-2008:141 | |
http://www.mandriva.com/security/advisories?name=MDVSA-2008:142 | |
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/ | |
http://www.redhat.com/archives/fedora-security-commits/2008-June/msg00005.html | |
http://www.redhat.com/support/errata/RHSA-2008-0561.html | |
http://www.ruby-forum.com/topic/157034 | |
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ | |
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html | |
http://www.securityfocus.com/archive/1/493688/100/0/threaded | |
http://www.securityfocus.com/bid/29903 | |
http://www.securitytracker.com/id?1020347 | |
http://www.ubuntu.com/usn/usn-621-1 | |
http://www.vupen.com/english/advisories/2008/1907/references | |
http://www.vupen.com/english/advisories/2008/1981/references | |
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html | |
https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/241657 | |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2727 | |
https://exchange.xforce.ibmcloud.com/vulnerabilities/43350 | |
https://issues.rpath.com/browse/RPL-2626 | |
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova... | |
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html |
受影响软件情况
# | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
1 | |||||||||
---|---|---|---|---|---|---|---|---|---|
运行在以下环境 | |||||||||
应用 | ruby-lang | ruby | * |
Up to (including) 1.8.4 |
|||||
运行在以下环境 | |||||||||
应用 | ruby-lang | ruby | * |
From (including) 1.8.5 |
Up to (excluding) 1.8.5.231 |
||||
运行在以下环境 | |||||||||
应用 | ruby-lang | ruby | * |
From (including) 1.8.6 |
Up to (excluding) 1.8.6.230 |
||||
运行在以下环境 | |||||||||
应用 | ruby-lang | ruby | * |
From (including) 1.8.7 |
Up to (excluding) 1.8.7.22 |
||||
运行在以下环境 | |||||||||
系统 | centos_5 | ruby | * |
Up to (excluding) 1.8.5-5.el5_2.3.i386.rpm |
|||||
运行在以下环境 | |||||||||
系统 | centos_5 | ruby-devel | * |
Up to (excluding) 1.8.5-5.el5_2.3.i386.rpm |
|||||
运行在以下环境 | |||||||||
系统 | centos_5 | ruby-docs | * |
Up to (excluding) 1.8.5-5.el5_2.3.i386.rpm |
|||||
运行在以下环境 | |||||||||
系统 | centos_5 | ruby-irb | * |
Up to (excluding) 1.8.5-5.el5_2.3.i386.rpm |
|||||
运行在以下环境 | |||||||||
系统 | centos_5 | ruby-libs | * |
Up to (excluding) 1.8.5-5.el5_2.3.i386.rpm |
|||||
运行在以下环境 | |||||||||
系统 | centos_5 | ruby-mode | * |
Up to (excluding) 1.8.5-5.el5_2.3.i386.rpm |
|||||
运行在以下环境 | |||||||||
系统 | centos_5 | ruby-rdoc | * |
Up to (excluding) 1.8.5-5.el5_2.3.i386.rpm |
|||||
运行在以下环境 | |||||||||
系统 | centos_5 | ruby-ri | * |
Up to (excluding) 1.8.5-5.el5_2.3.i386.rpm |
|||||
运行在以下环境 | |||||||||
系统 | centos_5 | ruby-tcltk | * |
Up to (excluding) 1.8.5-5.el5_2.3.i386.rpm |
|||||
运行在以下环境 | |||||||||
系统 | oracle_5 | ruby | * |
Up to (excluding) 1.8.5-5.el5_2.3 |
|||||
运行在以下环境 | |||||||||
系统 | oracle_5 | ruby-devel | * |
Up to (excluding) 1.8.5-5.el5_2.3 |
|||||
运行在以下环境 | |||||||||
系统 | oracle_5 | ruby-docs | * |
Up to (excluding) 1.8.5-5.el5_2.3 |
|||||
运行在以下环境 | |||||||||
系统 | oracle_5 | ruby-irb | * |
Up to (excluding) 1.8.5-5.el5_2.3 |
|||||
运行在以下环境 | |||||||||
系统 | oracle_5 | ruby-libs | * |
Up to (excluding) 1.8.5-5.el5_2.3 |
|||||
运行在以下环境 | |||||||||
系统 | oracle_5 | ruby-mode | * |
Up to (excluding) 1.8.5-5.el5_2.3 |
|||||
运行在以下环境 | |||||||||
系统 | oracle_5 | ruby-rdoc | * |
Up to (excluding) 1.8.5-5.el5_2.3 |
|||||
运行在以下环境 | |||||||||
系统 | oracle_5 | ruby-ri | * |
Up to (excluding) 1.8.5-5.el5_2.3 |
|||||
运行在以下环境 | |||||||||
系统 | oracle_5 | ruby-tcltk | * |
Up to (excluding) 1.8.5-5.el5_2.3 |
|||||
- 攻击路径 本地
- 攻击复杂度 复杂
- 权限要求 无需权限
- 影响范围 全局影响
- EXP成熟度 未验证
- 补丁情况 临时补丁
- 数据保密性 无影响
- 数据完整性 无影响
- 服务器危害 N/A
- 全网数量 N/A
还没有评论,来说两句吧...