[Bug 385436] Re: DoS vulnerability in BigDecimal Ruby Library
This bug was fixed in the package ruby1.8 - 1.8.6.111-2ubuntu1.3 --- ruby1.8 (1.8.6.111-2ubuntu1.3) hardy-security; urgency=low * SECURITY UPDATE: certificate spoofing via invalid return value check in OCSP_basic_verify - debian/patches/904_security_CVE-2009-0642.dpatch: also check for -1 return code in ext/openssl/ossl_ocsp.c. - CVE-2009-0642 * SECURITY UPDATE: denial of service in BigDecimal library via string argument that represents a large number (LP: #385436) - debian/patches/905_security_CVE-2009-1904.dpatch: handle large numbers properly in ext/bigdecimal/bigdecimal.c. - CVE-2009-1904 -- Marc DeslauriersWed, 15 Jul 2009 13:06:03 -0400 ** Changed in: ruby1.8 (Ubuntu) Status: Confirmed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-0642 -- DoS vulnerability in BigDecimal Ruby Library https://bugs.launchpad.net/bugs/385436 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 385436] Re: DoS vulnerability in BigDecimal Ruby Library
** Changed in: ruby1.8 (Debian) Status: New => Fix Released -- DoS vulnerability in BigDecimal Ruby Library https://bugs.launchpad.net/bugs/385436 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 385436] Re: DoS vulnerability in BigDecimal Ruby Library
** Changed in: ruby1.8 (Debian) Status: Unknown => New -- DoS vulnerability in BigDecimal Ruby Library https://bugs.launchpad.net/bugs/385436 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 385436] Re: DoS vulnerability in BigDecimal Ruby Library
This upstream patch fixes this bug: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=23652 Unfortunately, hunk #14 fails to apply to Hardy's Ruby source. It looks like the BigDecimal_to_f function has been rewritten since Hardy's version of Ruby (1.8.6.111). ** Bug watch added: Debian Bug tracker #532689 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532689 ** Also affects: ruby1.8 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532689 Importance: Unknown Status: Unknown -- DoS vulnerability in BigDecimal Ruby Library https://bugs.launchpad.net/bugs/385436 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 385436] Re: DoS vulnerability in BigDecimal Ruby Library
Is importance Medium enough? Quote from the Rails blog: "This could be used by an attacker to crash any ruby program which creates BigDecimal objects based on user input, including almost every Rails application." Sounds fairly critical to me... -- DoS vulnerability in BigDecimal Ruby Library https://bugs.launchpad.net/bugs/385436 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 385436] Re: DoS vulnerability in BigDecimal Ruby Library
** Visibility changed to: Public ** Changed in: ruby1.8 (Ubuntu) Importance: Undecided => Medium ** Changed in: ruby1.8 (Ubuntu) Status: New => Confirmed -- DoS vulnerability in BigDecimal Ruby Library https://bugs.launchpad.net/bugs/385436 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs