From ${URL} : Ruby Programming Language Project reports: https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ Heap Overflow in Floating Point Parsing (CVE-2013-4164) There is an overflow in floating point number parsing in Ruby. This vulnerability has been assigned the CVE identifier CVE-2013-4164. Details Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable. Vulnerable code looks something like this: untrusted_data.to_f But any code that produces floating point values from external data is vulnerable, such as this: JSON.parse untrusted_data Note that this bug is similar to CVE-2009-0689. All users running an affected release should upgrade to the fixed versions of ruby. Affected versions All ruby 1.8 versions All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 484 All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 353 All ruby 2.1 versions prior to ruby 2.1.0 preview1 prior to trunk revision 43780 Solutions All users are recommended to upgrade to Ruby 1.9.3 patchlevel 484, ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2. Please note that ruby 1.8 series or any earlier releases are already obsoleted. There is no plan to release new fixed versions for them. Users of such versions are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits Thanks to Charlie Somerville for reporting this issue! Upstream announcements of fixed versions 1.9.3p484 and 2.0.0p353: https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/ https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/ Upstream commits (trunk, 1.9.3 and 2.0.0): http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43775 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43776 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43778 GitHub repositories mirror commits: https://github.com/ruby/ruby/commit/5cb83d9dab13e14e6146f455ffd9fed4254d238f https://github.com/ruby/ruby/commit/60c29bbbf6574e0e947c56e71c3c3ca11620ee15 https://github.com/ruby/ruby/commit/46cd2f463c5668f53436076e67db59fdc33ff384 External references: https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
ruby-1.9.3_p484 and ruby-2.0.0_p353 are now in the tree. ruby 1.8 is deprecated and we'll work on masking it as soon as possible.
(In reply to Agostino Sarubbo from comment #0) > @maintainer(s): after the bump, in case we need to stabilize the package, > please let us know if it is ready for the stabilization or not.
There exists a backported patch for CVE-2013-4164 for ruby 1.8: http://makandracards.com/railslts/19977-backported-fix-for-heap-overflow-in-floating-point-parsing-cve-2013-4164 It might be a good idea to bring this in to stall/in conjunction with deprecating MRI 1.8.
(In reply to Mina Naguib from comment #3) > There exists a backported patch for CVE-2013-4164 for ruby 1.8: > > http://makandracards.com/railslts/19977-backported-fix-for-heap-overflow-in- > floating-point-parsing-cve-2013-4164 > > It might be a good idea to bring this in to stall/in conjunction with > deprecating MRI 1.8. Thanks for letting us know about the patch, but we were already planning to mask and remove ruby 1.8 before the end of the year. This security issue is simply speeding up the goal by a few weeks at the most. We do not intend to patch ruby 1.8.
I think we can mark the new ruby versions stable: =dev-lang/ruby-1.9.3_p484 =dev-lang/ruby.2.0.0_p353 For ruby 1.8 removal we also need a few stable bugs to go through first. These are added as blockers on this bug.
Stable for HPPA.
CVE-2013-4164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4164): Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse.
CVE-2013-4407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4407): HTTP::Body::Multipart in the HTTP-Body 1.08, 1.17, and earlier module for Perl uses the part of the uploaded file's name after the first "." character as the suffix of a temporary file, which makes it easier for remote attackers to conduct attacks by leveraging subsequent behavior that may assume the suffix is well-formed.
Ignore the second CVE.
amd64 stable
ppc stable
ppc64 stable
x86 stable
alpha stable
arm stable
sparc stable
ia64 stable
Please check if =dev-lang/ruby.2.0.0_p353 was stabled for arm as per this bug looks like only ruby-1.9.3_p484. Setting arm arch back.
arm stable, all arches done.
Maintainer(s), please drop the vulnerable version(s). <dev-lang/ruby-1.9.3_p484 <dev-lang/ruby.2.0.0_p353 1.8 Version.
(In reply to Yury German from comment #20) > <dev-lang/ruby-1.9.3_p484 > <dev-lang/ruby.2.0.0_p353 These are now dropped. > 1.8 Version. Still in progress.
(In reply to Hans de Graaff from comment #21) > > 1.8 Version. > > Still in progress. Ruby 1.8 has been masked and removed.
Maintainer(s), Thank you for cleanup! Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle).
This is so beneficial information for everyone. I hope all are taking benefits of this. https://www.duaistikharaforlove.com/
