Bug 1412678 (CVE-2016-2339) - CVE-2016-2339 ruby: Fiddle::Function.new heap buffer overflow
Summary: CVE-2016-2339 ruby: Fiddle::Function.new heap buffer overflow
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-2339
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1412685
TreeView+ depends on / blocked
 
Reported: 2017-01-12 14:35 UTC by Andrej Nemec
Modified: 2019-09-29 14:04 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-18 00:19:40 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-01-12 14:35:15 UTC
An exploitable heap overflow vulnerability exists in the Fiddle::Function.new “initialize” function functionality of Ruby. In Fiddle::Function.new “initialize” heap buffer “arg_types” allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.

References:

http://www.talosintelligence.com/reports/TALOS-2016-0034/

Comment 2 Doran Moppert 2017-01-18 00:07:42 UTC
This flaw requires executing untrusted ruby code, or passing an untrusted class to the Fiddle module.  Either of these would already represent a vulnerability by design, so the impact from this flaw is Moderate at best.

The Fiddle module is not present in Ruby prior to version 1.9, so earlier versions are not affected.

Comment 3 Doran Moppert 2017-01-18 00:20:21 UTC
Statement:

Red Hat Product Security has rated this issue as having Moderate security
impact. This issue is not currently planned to be addressed in future
updates. For additional information, refer to the Issue Severity
Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.