CVE-2008-2376

Published: 08 July 2008

Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows.

Priority

Low

Status

Package Release Status
ruby1.8
Launchpad, Ubuntu, Debian
Upstream
Released (1.8.7.72-1)
Patches:
Debdiff: http://launchpad.net/bugs/246818
ruby1.9
Launchpad, Ubuntu, Debian
Upstream
Released (1.9.0.2-7)

Notes

AuthorNote
jdstrand
from oss-security, need to make sure that the following patches:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13397
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17688
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17756
believed to not be as severe due to input code path

References

Bugs