FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2013-4164

This CVE name corresponds to:

Entered Topic
2013-11-23 ruby -- Heap Overflow in Floating Point Parsing

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2013-4164
Phase Assigned(20130612)

Description

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse.

References

Source Reference
CONFIRM https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164
CONFIRM https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released
CONFIRM https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released
CONFIRM https://support.apple.com/kb/HT6536
APPLE APPLE-SA-2014-04-22-1
APPLE APPLE-SA-2014-10-16-3
DEBIAN DSA-2810
DEBIAN DSA-2809
REDHAT RHSA-2013:1763
REDHAT RHSA-2013:1764
REDHAT RHSA-2013:1767
REDHAT RHSA-2014:0011
REDHAT RHSA-2014:0215
SUSE openSUSE-SU-2013:1834
SUSE openSUSE-SU-2013:1835
OSVDB 100113
SECUNIA 55787
SECUNIA 57376