FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ruby -- Heap Overflow in Floating Point Parsing

Affected packages
ruby19 < 1.9.3.484,1
ruby20 < 2.0.0.353,1

Details

VuXML ID cc9043cf-7f7a-426e-b2cc-8d1980618113
Discovery 2013-11-22
Entry 2013-11-23

Ruby developers report:

Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable.

References

CVE Name CVE-2013-4164
URL https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/
URL https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/