===================================================================== CERT-Renater Note d'Information No. 2009/VULN235 _____________________________________________________________________ DATE : 11/06/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running BigDecimal library for Ruby. ====================================================================== http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/ ______________________________________________________________________ DoS vulnerability in BigDecimal A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults. ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue. Impact An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as: BigDecimal("9E69999999").to_s("F") Vulnerable versions 1.8 series * 1.8.6-p368 and all prior versions * 1.8.7-p160 and all prior versions 1.9 series * All 1.9.1 versions are not affected by this issue Solution 1.8 series Please upgrade to 1.8.6-p369 or ruby-1.8.7-p173. * ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p369.tar.gz * ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p173.tar.gz ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================