The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue."
Upstream commit at $URL.
rerating to B2 (special configuration + seldomly used extension)
bump is coming soon
This also needs to be fixed for dev-lang/ruby-enterprise
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable on alpha.
amd64 done. Thanks Agostino
Stable for HPPA.
ppc64 stable, last arch done
Thanks, everyone. Added to existing GLSA request.
A quick note that dev-lang/ruby-enterprise has been treecleaned, so it is no longer relevant to this bug.
This issue was resolved and addressed in
GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml
by GLSA coordinator Sean Amoss (ackle).