FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2009-1904

This CVE name corresponds to:

Entered	Topic
2009-06-13	ruby -- BigDecimal denial of service vulnerability

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2009-1904 at cve.mitre.org

Details

Type	Candidate
Name	CVE-2009-1904
Phase	Assigned(20090603)

Description

The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.

References

Source	Reference
MLIST	[pkgsrc-changes] 20090610 CVS commit: pkgsrc/lang/ruby18-base
MLIST	[rubyonrails-security] 20090610 DoS Vulnerability in Ruby (CVE-2009-1904)
CONFIRM	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532689
CONFIRM	http://bugs.gentoo.org/show_bug.cgi?id=273213
CONFIRM	http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master
CONFIRM	http://redmine.ruby-lang.org/issues/show/794
CONFIRM	http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby/
CONFIRM	http://www.ruby-forum.com/topic/189071
CONFIRM	http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
CONFIRM	https://bugs.launchpad.net/bugs/385436
CONFIRM	https://bugs.launchpad.net/bugs/cve/2009-1904
CONFIRM	http://support.apple.com/kb/HT4077
APPLE	APPLE-SA-2010-03-29-1
FEDORA	FEDORA-2009-13066
GENTOO	GLSA-200906-02
MANDRIVA	MDVSA-2009:160
REDHAT	RHSA-2009:1140
SLACKWARE	SSA:2009-170-02
UBUNTU	USN-805-1
BID	35278
OSVDB	55031
OVAL	oval:org.mitre.oval:def:9780
SECTRACK	1022371
SECUNIA	35399
SECUNIA	35527
SECUNIA	35699
SECUNIA	35593
SECUNIA	35937
SECUNIA	37705
VUPEN	ADV-2009-1563
XF	ruby-bigdecimal-dos(51032)