Ubuntu
ruby1.8 package

DoS vulnerability in BigDecimal Ruby Library

Bug #385436 reported by Charl Matthee on 2009-06-10

276

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	ruby1.8 (Debian)	Fix Released	Unknown	debbugs #532689
	ruby1.8 (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

Refer to the following URLs for complete information:

http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby

Affected 1.8 series
* 1.8.6-p368 and all prior versions
* 1.8.7-p160 and all prior versions

All 1.9.1 versions are not affected by this issue.

Tags:

Related branches

lp:ubuntu/dapper-security/ruby1.8

lp:ubuntu/hardy-security/ruby1.8

lp:ubuntu/intrepid-security/ruby1.9

lp:ubuntu/jaunty-security/ruby1.9

lp:ubuntu/intrepid-security/ruby1.8

lp:ubuntu/jaunty-security/ruby1.8

lp:ubuntu/karmic-security/ruby1.9

lp:ubuntu/lucid/ruby1.9

lp:ubuntu/intrepid-updates/ruby1.8

CVE References

Charl Matthee (charl-matthee) on 2009-06-10

affects:

ubuntu → ruby1.8 (Ubuntu)

Marc Deslauriers (mdeslaur) on 2009-06-10

visibility:	private → public
Changed in ruby1.8 (Ubuntu):
importance:	Undecided → Medium
status:	New → Confirmed

Revision history for this message

iGEL (igel) wrote on 2009-06-10:

Is importance Medium enough? Quote from the Rails blog: "This could be used by an attacker to crash any ruby program which creates BigDecimal objects based on user input, including almost every Rails application." Sounds fairly critical to me...

Revision history for this message

John Leach (johnleach) wrote on 2009-06-10:

This upstream patch fixes this bug:

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=23652

Unfortunately, hunk #14 fails to apply to Hardy's Ruby source. It looks like the BigDecimal_to_f function has been rewritten since Hardy's version of Ruby (1.8.6.111).

Bug Watch Updater (bug-watch-updater) on 2009-06-11

Changed in ruby1.8 (Debian):
status:	Unknown → New

Bug Watch Updater (bug-watch-updater) on 2009-06-13

Changed in ruby1.8 (Debian):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-07-20:

This bug was fixed in the package ruby1.8 - 1.8.6.111-2ubuntu1.3

---------------
ruby1.8 (1.8.6.111-2ubuntu1.3) hardy-security; urgency=low

  * SECURITY UPDATE: certificate spoofing via invalid return value check
    in OCSP_basic_verify
    - debian/patches/904_security_CVE-2009-0642.dpatch: also check for -1
      return code in ext/openssl/ossl_ocsp.c.
    - CVE-2009-0642
  * SECURITY UPDATE: denial of service in BigDecimal library via string
    argument that represents a large number (LP: #385436)
    - debian/patches/905_security_CVE-2009-1904.dpatch: handle large
      numbers properly in ext/bigdecimal/bigdecimal.c.
    - CVE-2009-1904

-- Marc Deslauriers <email address hidden> Wed, 15 Jul 2009 13:06:03 -0400

Changed in ruby1.8 (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #532689
[done important security] Edit

Bug watches keep track of this bug in other bug trackers.

Ubunturuby1.8 package

DoS vulnerability in BigDecimal Ruby Library

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
ruby1.8 package