Posted by Urabe Shyouhei on 9 Jun 2009

A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.

Impact

An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as:

BigDecimal("9E69999999").to_s("F")

Vulnerable versions

1.8 series

• 1.8.6-p368 and all prior versions
• 1.8.7-p160 and all prior versions

1.9 series

• All 1.9.1 versions are not affected by this issue

Solution

1.8 series

Please upgrade to 1.8.6-p369 or ruby-1.8.7-p174.

• https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p369.tar.gz
• https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p174.tar.gz

Updates

• Ruby 1.8.7-p173 had a problem. If you have already downloaded it, please get a newer one. Ruby 1.8.6-p369 do not have this bug.

Syndicate

Recent News (RSS)