http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0188 The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue." Upstream commit at $URL.
rerating to B2 (special configuration + seldomly used extension) bump is coming soon
This also needs to be fixed for dev-lang/ruby-enterprise
Arches, please test and mark stable: =dev-lang/ruby-1.8.7_p334-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 ok
Stable on alpha.
amd64 done. Thanks Agostino
arm/x86 stable
ppc done
Stable for HPPA.
ia64/s390/sh/sparc stable
ppc64 stable, last arch done
Thanks, everyone. Added to existing GLSA request.
A quick note that dev-lang/ruby-enterprise has been treecleaned, so it is no longer relevant to this bug.
This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle).