DoS vulnerability in BigDecimal Ruby Library

Bug #385436 reported by Charl Matthee on 2009-06-10
276
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ruby1.8 (Debian)
Fix Released
Unknown
ruby1.8 (Ubuntu)
Medium
Unassigned

Bug Description

A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

Refer to the following URLs for complete information:

http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby

Affected 1.8 series
    * 1.8.6-p368 and all prior versions
    * 1.8.7-p160 and all prior versions

All 1.9.1 versions are not affected by this issue.

affects: ubuntu → ruby1.8 (Ubuntu)
visibility: private → public
Changed in ruby1.8 (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
iGEL (igel) wrote :

Is importance Medium enough? Quote from the Rails blog: "This could be used by an attacker to crash any ruby program which creates BigDecimal objects based on user input, including almost every Rails application." Sounds fairly critical to me...

John Leach (johnleach) wrote :

This upstream patch fixes this bug:

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=23652

Unfortunately, hunk #14 fails to apply to Hardy's Ruby source. It looks like the BigDecimal_to_f function has been rewritten since Hardy's version of Ruby (1.8.6.111).

Changed in ruby1.8 (Debian):
status: Unknown → New
Changed in ruby1.8 (Debian):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.6.111-2ubuntu1.3

---------------
ruby1.8 (1.8.6.111-2ubuntu1.3) hardy-security; urgency=low

  * SECURITY UPDATE: certificate spoofing via invalid return value check
    in OCSP_basic_verify
    - debian/patches/904_security_CVE-2009-0642.dpatch: also check for -1
      return code in ext/openssl/ossl_ocsp.c.
    - CVE-2009-0642
  * SECURITY UPDATE: denial of service in BigDecimal library via string
    argument that represents a large number (LP: #385436)
    - debian/patches/905_security_CVE-2009-1904.dpatch: handle large
      numbers properly in ext/bigdecimal/bigdecimal.c.
    - CVE-2009-1904

 -- Marc Deslauriers <email address hidden> Wed, 15 Jul 2009 13:06:03 -0400

Changed in ruby1.8 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.