CVE-2009-1904
Published: 11 June 2009
The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.
Notes
| Author | Note |
|---|---|
| mdeslaur | PoC here: http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master PoC here: http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/ best PoC here: http://redmine.ruby-lang.org/issues/show/794 backporting patch may introduce regression, see RH bug |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ruby1.8 Launchpad, Ubuntu, Debian |
dapper |
Released
(1.8.4-1ubuntu1.7)
|
| hardy |
Released
(1.8.6.111-2ubuntu1.3)
|
|
| intrepid |
Released
(1.8.7.72-1ubuntu0.2)
|
|
| jaunty |
Released
(1.8.7.72-3ubuntu0.1)
|
|
| karmic |
Not vulnerable
(1.8.7.174-1)
|
|
| lucid |
Not vulnerable
(1.8.7.174-1)
|
|
| maverick |
Not vulnerable
(1.8.7.174-1)
|
|
| natty |
Not vulnerable
(1.8.7.174-1)
|
|
| oneiric |
Not vulnerable
(1.8.7.174-1)
|
|
| upstream |
Released
(1.8.7.173-1)
|
|
|
Patches: upstream: http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master (workaround?) upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=23652 (1.8.6) upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=23645 (1.8.7) upstream: http://github.com/rubyspec/rubyspec/commit/95c0abbe07bf350f83d2454eb080b0bd315d59d4 (test) upstream: http://github.com/rubyspec/rubyspec/commit/0fb6052d48eeb72c6f2d2239bba999038cad3d69 (test) |
||
|
ruby1.9 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Released
(1.9.0.2-7ubuntu1.2)
|
|
| jaunty |
Released
(1.9.0.2-9ubuntu1.1)
|
|
| karmic |
Released
(1.9.0.5-1ubuntu1.2)
|
|
| lucid |
Released
(1.9.0.5-1ubuntu2)
|
|
| maverick |
Does not exist
(pulled 2010-07-27)
|
|
| natty |
Does not exist
(pulled 2010-07-27)
|
|
| oneiric |
Does not exist
(pulled 2010-07-27)
|
|
| upstream |
Needs triage
|
|
|
Patches: upstream: http://redmine.ruby-lang.org/repositories/revision/ruby-19?rev=20359 upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=20359 |
||
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1904
- http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
- https://ubuntu.com/security/notices/USN-805-1
- https://ubuntu.com/security/notices/USN-900-1
- NVD
- Launchpad
- Debian
Bugs
- https://bugs.launchpad.net/bugs/385436
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532689
- http://redmine.ruby-lang.org/issues/show/794
- http://redmine.ruby-lang.org/issues/show/1589
- http://bugs.gentoo.org/show_bug.cgi?id=273213
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1904
- https://bugzilla.redhat.com/show_bug.cgi?id=510277 (regression)
- https://bugzilla.redhat.com/show_bug.cgi?id=510278 (regression)