Heap Buffer Overflow

Psych is vulnerable to heap buffer overflow. The vulnerability is due to the startdocument function in psychemitter.c buffer head allocation based on the tags array length. This flaw allows an attacker to pass a specially constructed element of tags array object that can increase this array size...

CVE-2016-2338

An exploitable heap overflow vulnerability was found in the Psych::Emitter startdocument function of Ruby. In Psych::Emitter startdocument function heap buffer "head" allocation is made based on the tags array length. A specially constructed object passed as elements of tags array can increase th...

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the startdocument function in psychemitter.c. Passing in a malicious tags array can trigger a crash. PoC: ruby require 'Psych' $tags = puts "+ Start" f = File.new"newfile", "w+" emitter = Psych::Emitter.new...

CVE-2016-2338

An exploitable heap overflow vulnerability exists in the Psych::Emitter startdocument function of Ruby. In Psych::Emitter startdocument function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array...

EUVD-2016-3422

An exploitable heap overflow vulnerability exists in the Psych::Emitter startdocument function of Ruby. In Psych::Emitter startdocument function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array...

CVE-2016-2338

CVE-2016-2338 describes an exploitable heap overflow in Ruby’s Psych::Emitter.start_document where head is allocated based on the tags array length; specially crafted objects in tags can cause the allocation to exceed bounds. Connected advisories confirm this vulnerability and show the fix in Rub...