Denial of service and potential arbitrary code execution in most versions of Ruby
Greetings to the respected Ruby community.
It is strange that this news is not yet on Habré, but Ruby developers reported a heap overflow when parsing floating-point values early yesterday morning . The vulnerability has been assigned the code CVE-2013-4164. The guys also warn that this error can cause at least a denial of service, but with a certain degree of probability it is possible to implement arbitrary code in Ruby applications.
List of vulnerable versions:
Details in the official post are rather scarce. It says that when converting a string to a floating-point value, a specially formed string can cause heap overflow, which in turn can lead to a denial of service and the possible execution of arbitrary code. Vulnerable are all programs that use this conversion. The most common example is accepting and parsing JSON from third sources.
Vulnerable code might look like this:
However, any code that creates floating point values from external sources is vulnerable, for example:
Developers recommend upgrading to ruby 1.9.3 patchlevel 484, ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2. Version 1.8 is deprecated and no vulnerability fix is planned . Ruby 1.8 users are advised to upgrade to more recent versions.
UPD: Only Ruby MRI is affected. Rubinius and JRuby she does not affect.
It is strange that this news is not yet on Habré, but Ruby developers reported a heap overflow when parsing floating-point values early yesterday morning . The vulnerability has been assigned the code CVE-2013-4164. The guys also warn that this error can cause at least a denial of service, but with a certain degree of probability it is possible to implement arbitrary code in Ruby applications.
List of vulnerable versions:
- All versions of ruby 1.8
- All versions of ruby 1.9 up to 1.9.3 patchlevel 484
- All versions of ruby 2.0 up to 2.0.0 patchlevel 353
- All versions of ruby 2.1 up to 2.1.0 preview2
- All versions in trunk prior to revision 43780
Vulnerability Details
Details in the official post are rather scarce. It says that when converting a string to a floating-point value, a specially formed string can cause heap overflow, which in turn can lead to a denial of service and the possible execution of arbitrary code. Vulnerable are all programs that use this conversion. The most common example is accepting and parsing JSON from third sources.
Vulnerable code might look like this:
untrusted_data.to_f
However, any code that creates floating point values from external sources is vulnerable, for example:
JSON.parse untrusted_data
Decision
Developers recommend upgrading to ruby 1.9.3 patchlevel 484, ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2. Version 1.8 is deprecated and no vulnerability fix is planned . Ruby 1.8 users are advised to upgrade to more recent versions.
UPD: Only Ruby MRI is affected. Rubinius and JRuby she does not affect.