An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow. https://lists.debian.org/debian-lts-announce/2020/03/msg00032.html http://www.talosintelligence.com/reports/TALOS-2016-0032/
Created ruby tracking bugs for this issue: Affects: fedora-35 [bug 2133737] Affects: fedora-36 [bug 2133740] Created ruby:2.7/ruby tracking bugs for this issue: Affects: fedora-35 [bug 2133738] Created ruby:3.0/ruby tracking bugs for this issue: Affects: fedora-35 [bug 2133739]
Upstream Patch: https://github.com/ruby/ruby/commit/cc0313436160b735a3d41361cb5e3eeb10fcbdad
https://www.cvedetails.com/cve/CVE-2016-2338 (In reply to Sandipan Roy from comment #3) > Upstream Patch: > https://github.com/ruby/ruby/commit/cc0313436160b735a3d41361cb5e3eeb10fcbdad > > v3_2_0_rc1 v3_2_0_preview3 v3_2_0_preview2 v3_2_0_preview1 v3_1_3 v3_1_2 v3_1_1 v3_1_0 v3_1_0_preview1 v3_0_5 v3_0_4 v3_0_3 v3_0_2 v3_0_1 v3_0_0 v3_0_0_rc2 v3_0_0_rc1 v3_0_0_preview2 v3_0_0_preview1 v2_7_7 v2_7_6 v2_7_5 v2_7_4 v2_7_3 v2_7_2 v2_7_1 v2_7_0 v2_7_0_rc2 v2_7_0_rc1 v2_7_0_preview3 v2_7_0_preview2 v2_7_0_preview1 v2_6_10 v2_6_9 v2_6_8 v2_6_7 v2_6_6 v2_6_5 v2_6_4 v2_6_3 v2_6_2 v2_6_1 v2_6_0 v2_6_0_rc2 v2_6_0_rc1 v2_6_0_preview3 v2_6_0_preview2 v2_6_0_preview1 v2_5_9 v2_5_8 v2_5_7 v2_5_6 v2_5_5 v2_5_4 v2_5_3 v2_5_2 v2_5_1 v2_5_0 v2_5_0_rc1 v2_5_0_preview1 v2_4_10 v2_4_9 v2_4_8 v2_4_7 v2_4_6 v2_4_5 v2_4_4 v2_4_3 v2_4_2 v2_4_1 v2_4_0 v2_4_0_rc1 v2_4_0_preview3 v2_4_0_preview2 v2_4_0_preview1 v2_3_8 v2_3_7 v2_3_6 v2_3_5 v2_3_4 v2_3_3 v2_3_2 v2_3_1 v2_3_0 Seeing the commit, this CVE is basically fixed in Ruby >= 2.3.0.