FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ruby -- BigDecimal denial of service vulnerability

Affected packages
1.8.*,1 <= ruby < 1.8.7.160_1,1
1.8.*,1 <= ruby+oniguruma < 1.8.7.160_1,1
1.8.*,1 <= ruby+pthreads < 1.8.7.160_1,1
1.8.*,1 <= ruby+pthreads+oniguruma < 1.8.7.160_1,1

Details

VuXML ID 62e0fbe5-5798-11de-bb78-001cc0377035
Discovery 2009-06-09
Entry 2009-06-13
Modified 2010-05-02

The official ruby site reports:

A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as:

BigDecimal("9E69999999").to_s("F")

References

Bugtraq ID 35278
CVE Name CVE-2009-1904
URL http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/