DoS vulnerability in BigDecimal Ruby Library
Bug #385436 reported by
Charl Matthee
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ruby1.8 (Debian) |
Fix Released
|
Unknown
|
|||
ruby1.8 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.
Refer to the following URLs for complete information:
http://
http://
Affected 1.8 series
* 1.8.6-p368 and all prior versions
* 1.8.7-p160 and all prior versions
All 1.9.1 versions are not affected by this issue.
Related branches
affects: | ubuntu → ruby1.8 (Ubuntu) |
visibility: | private → public |
Changed in ruby1.8 (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in ruby1.8 (Debian): | |
status: | Unknown → New |
Changed in ruby1.8 (Debian): | |
status: | New → Fix Released |
To post a comment you must log in.
Is importance Medium enough? Quote from the Rails blog: "This could be used by an attacker to crash any ruby program which creates BigDecimal objects based on user input, including almost every Rails application." Sounds fairly critical to me...