PT-2008-4169 · Ruby Lang+3 · Ruby+11

Drew Yao

Published

2008-06-24

Updated

2018-11-01

CVE-2008-2725

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Integer overflow in the (1) rb ary splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb ary replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-189

Related Identifiers

CVE-2008-2725

DSA-1612-1

DSA-1618-1

RHSA-2008:0561

RHSA-2008:0562

RHSA-2008_0561

RHSA-2026:7305

RHSA-2026:7307

RHSA-2026:8838

Affected Products

Ruby

Debian

Irb

Ruby-Devel

Ruby-Docs

Ruby-Irb

Ruby-Libs

Ruby-Mode

Ruby-Rdoc

Ruby-Ri

Ruby-Tcltk

Ubuntu

PT-2008-4169 · Ruby Lang+3 · Ruby+11

CVE-2008-2725

Weakness Enumeration

Related Identifiers

Affected Products

References · 44