Ruby Programming Language Project reports: https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ Heap Overflow in Floating Point Parsing (CVE-2013-4164) There is an overflow in floating point number parsing in Ruby. This vulnerability has been assigned the CVE identifier CVE-2013-4164. Details Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable. Vulnerable code looks something like this: untrusted_data.to_f But any code that produces floating point values from external data is vulnerable, such as this: JSON.parse untrusted_data Note that this bug is similar to CVE-2009-0689. All users running an affected release should upgrade to the fixed versions of ruby. Affected versions All ruby 1.8 versions All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 484 All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 353 All ruby 2.1 versions prior to ruby 2.1.0 preview1 prior to trunk revision 43780 Solutions All users are recommended to upgrade to Ruby 1.9.3 patchlevel 484, ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2. Please note that ruby 1.8 series or any earlier releases are already obsoleted. There is no plan to release new fixed versions for them. Users of such versions are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits Thanks to Charlie Somerville for reporting this issue! Upstream announcements of fixed versions 1.9.3p484 and 2.0.0p353: https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/ https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/ Upstream commits (trunk, 1.9.3 and 2.0.0): http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43775 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43776 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43778 GitHub repositories mirror commits: https://github.com/ruby/ruby/commit/5cb83d9dab13e14e6146f455ffd9fed4254d238f https://github.com/ruby/ruby/commit/60c29bbbf6574e0e947c56e71c3c3ca11620ee15 https://github.com/ruby/ruby/commit/46cd2f463c5668f53436076e67db59fdc33ff384 External references: https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
Additional follow up fix (trunk, 1.9.3 and 2.0.0): http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43780 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43783 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43784
Ruby versions in Red Hat Enterprise Linux 5 and earlier use different strtod implementation. The current implementation was introduced via the following commits (trunk, 1.8): http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=13131 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=16342
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1033546]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1764 https://rhn.redhat.com/errata/RHSA-2013-1764.html
This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2013:1763 https://rhn.redhat.com/errata/RHSA-2013-1763.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.2 EUS - Server and Compute Node Only Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only Via RHSA-2013:1767 https://rhn.redhat.com/errata/RHSA-2013-1767.html
When will we see an update for Fedora 19? The ruby package is still at 2.0.0-p247.
There is a pending update for F19 - https://admin.fedoraproject.org/updates/FEDORA-2013-22423/ruby-2.0.0.353-16.fc19. Please test!
(In reply to Tomas Hoger from comment #6) > Ruby versions in Red Hat Enterprise Linux 5 and earlier use different strtod > implementation. The current implementation was introduced via the following > commits (trunk, 1.8): > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=13131 > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=16342 Upstream advisory (see comment 0 for direct link) previously used to list all 1.8 versions as affected. It has been updated to take the above information into account. New strtod implementation was introduced upstream in version 1.8.6-p230 and is also included in 1.8.7. The ruby packages in Red Hat Enterprise Linux 5 are based on older upstream version 1.8.5. Statement: This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0011 https://rhn.redhat.com/errata/RHSA-2014-0011.html
HackerOne report: https://hackerone.com/reports/499
This issue has been addressed in following products: CloudForms Management Engine 5.x Via RHSA-2014:0215 https://rhn.redhat.com/errata/RHSA-2014-0215.html
SAM-1 does not appear to use to_f with any user supplied code, ditto for OpenShift Enterprise 1, this issue is being deferred for both, a later update may address this issue.