625940 – (CVE-2017-11465) dev-lang/ruby: Invalid read/write in parser_yyerror function in UTF-8 parser

Bug 625940 (CVE-2017-11465) - dev-lang/ruby: Invalid read/write in parser_yyerror function in UTF-8 parser

Summary: dev-lang/ruby: Invalid read/write in parser_yyerror function in UTF-8 parser

Status:	RESOLVED INVALID

Alias:	CVE-2017-11465

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B2 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-07-22 12:57 UTC by Agostino Sarubbo
Modified:	2017-10-17 23:47 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-07-22 12:57:03 UTC

From ${URL} :

The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or 
possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y. NOTE: this might 
have security relevance as a bypass of a $SAFE protection mechanism.

Upstream bug:

https://bugs.ruby-lang.org/issues/13742


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Hans de Graaff gentoo-dev

2017-07-23 08:55:49 UTC

Upstream intends to backport this to ruby 2.4, and we will use the backported patch.

Comment 2 Hans de Graaff gentoo-dev

2017-07-30 06:58:15 UTC

Upstream says: "Note that this is not a vulnerability.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11465 is invalid."