Your submission was sent successfully! Close

CVE-2016-2337

Published: 06 January 2017

Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution.

Priority

Negligible

CVSS 3 base score: 9.8

Status

Package Release Status
ruby1.8
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

ruby1.9.1
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1.9.3.484-2ubuntu1.3])
Patches:
Upstream: https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab
ruby2.0
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [2.0.0.484-1ubuntu2.4])
ruby2.3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(2.3.1-2~16.04)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist