Your submission was sent successfully! Close

CVE-2013-4164

Published: 22 November 2013

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse.

Priority

Medium

Status

Package Release Status
ruby1.8
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

ruby1.9
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

ruby1.9.1
Launchpad, Ubuntu, Debian
Upstream
Released (1.9.3.484)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1.9.3.448-1ubuntu2])
Patches:
Upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43776
Upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43782
ruby2.0
Launchpad, Ubuntu, Debian
Upstream
Released (2.0.0.353)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [2.0.0.343-1ubuntu1])
Patches:
Upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43778
Upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43783