** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** A bug was found in a Ruby's standard library. That bug enables third-party people to cause ruby processes segfault. CVE-2009-1904 was assigned to this. A release containing a fix will be public soon.
This bug just got reported on the Rails security list as well, which is out in the open. It also points to this news item: http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/ I've added both new versions to CVS, but I have not tested them very well yet. Alex: I did confirm that 1.8.7_173 fixes my threading issues.
Public via $URL. Arches, please test and mark stable: =dev-lang/ruby-1.8.6_p369 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 stable
x86 stable
Stable for HPPA.
Stable on alpha.
shouldn't there be a glsa associated with this?
(In reply to comment #7) > shouldn't there be a glsa associated with this? > After all security-supported architectures have stabled the package, yes.
CVE-2009-1904 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1904): The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.
arm/ia64/s390/sh/sparc stable
ppc64 done
ppc done
GLSA draft filed.
GLSA 200906-02
