Summary: | <dev-lang/ruby-{2.0.0_p598, 2.1.5, 2.2.0}: Buffer overflow vulnerability (CVE-2014-{3916,4975}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 536852 | ||
Bug Blocks: |
Description
GLSAMaker/CVETool Bot
2015-01-11 20:55:56 UTC
CVE-2014-3916 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3916): The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string. CVE-2014-4975 https://bugs.ruby-lang.org/issues/10019 As far as I can tell CVE-2014-4975 was fixed upstream for the 2.1 and 2.2 series only. Both 2.1.5 and 2.2.0 in tree are fixed. ruby-1.9.3_p551 and ruby-2.2.0_p598 do not have upstream fixes at the moment. I would expect only 2.2.0 to receive fixes, since 1.9.3 will be deprecated shortly. CVE-2014-3916 https://bugs.ruby-lang.org/issues/9709 This is fixed in the 2.0, 2.1, and 2.2 series. 2.0.0_p598, 2.1.5, and 2.2.0 in tree are all fixed. ruby-1.9.3_p551 is still vulnerable but will be deprecated by upstream shortly. ruby 1.9 is now masked for removal so we no longer have any vulnerable versions in the tree. GLSA Vote: No |