Bug 296052 (CVE-2009-4124)

Summary:	<dev-lang/ruby-1.9.1_p376 String#ljust, #center, #rjust Heap-based buffer overflow (CVE-2009-4124)
Product:	Gentoo Security	Reporter:	Alex Legler (RETIRED) <a3li>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	ruby, spatz
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/
Whiteboard:	~2 [noglsa]
Package list:		Runtime testing required:	---

Description Alex Legler (RETIRED) archtester

2009-12-07 07:06:59 UTC

There is a heap overflow vulnerability in String#ljust, String#center and String#rjust. This has allowed an attacker to run arbitrary code in some rare cases.

Commit/Patch:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=26038

Ruby 1.9 is currently in p.mask, stable or unstable versions of Ruby (1.8.x) are not affected.

Comment 1 Sven Schwyn (svoop) 2009-12-08 22:04:06 UTC

Just tried to version bump to p376 with the patches from p243. All tests pass but one:

#378 test_thread.rb:191:in `<top (required)>': 
   begin
     100.times do |i|
       begin
         Thread.start(Thread.current) {|u| u.raise }
         raise
       rescue
       ensure
       end
     end
   rescue
     100
   end
  #=> "" (expected "100")  [ruby-dev:31371]
FAIL 1/945 tests failed

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2009-12-12 00:58:44 UTC

CVE-2009-4124 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4124):
  Heap-based buffer overflow in the rb_str_justify function in string.c
  in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to
  execute arbitrary code via unspecified vectors involving (1)
  String#ljust, (2) String#center, or (3) String#rjust.  NOTE: some of
  these details are obtained from third party information.

Comment 3 Alex Legler (RETIRED) archtester

2010-05-01 10:36:03 UTC

p376 is in the tree.
Masked and never stable → noglsa.