Ubuntu.comUB:CVE-2009-1904CVE-2009-1904
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.025 Low
EPSS
Percentile
90.0%
The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173
allows context-dependent attackers to cause a denial of service
(application crash) via a string argument that represents a large number,
as demonstrated by an attempted conversion to the Float data type.
Bugs
- <https://bugs.launchpad.net/bugs/385436>
- <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532689>
- <http://redmine.ruby-lang.org/issues/show/794>
- <http://redmine.ruby-lang.org/issues/show/1589>
- <http://bugs.gentoo.org/show_bug.cgi?id=273213>
- <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1904>
- <https://bugzilla.redhat.com/show_bug.cgi?id=510277 (regression)>
- <https://bugzilla.redhat.com/show_bug.cgi?id=510278 (regression)>
Notes
| Author | Note |
|---|---|
| mdeslaur | PoC here: http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master PoC here: http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/ best PoC here: http://redmine.ruby-lang.org/issues/show/794 backporting patch may introduce regression, see RH bug |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 6.06 | noarch | ruby1.8 | <Β 1.8.4-1ubuntu1.7 | UNKNOWN |
| ubuntu | 8.04 | noarch | ruby1.8 | <Β 1.8.6.111-2ubuntu1.3 | UNKNOWN |
| ubuntu | 8.10 | noarch | ruby1.8 | <Β 1.8.7.72-1ubuntu0.2 | UNKNOWN |
| ubuntu | 9.04 | noarch | ruby1.8 | <Β 1.8.7.72-3ubuntu0.1 | UNKNOWN |
| ubuntu | 8.10 | noarch | ruby1.9 | <Β 1.9.0.2-7ubuntu1.2 | UNKNOWN |
| ubuntu | 9.04 | noarch | ruby1.9 | <Β 1.9.0.2-9ubuntu1.1 | UNKNOWN |
| ubuntu | 9.10 | noarch | ruby1.9 | <Β 1.9.0.5-1ubuntu1.2 | UNKNOWN |
| ubuntu | 10.04 | noarch | ruby1.9 | <Β 1.9.0.5-1ubuntu2 | UNKNOWN |
References
www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
launchpad.net/bugs/cve/CVE-2009-1904
nvd.nist.gov/vuln/detail/CVE-2009-1904
security-tracker.debian.org/tracker/CVE-2009-1904
ubuntu.com/security/notices/USN-805-1
ubuntu.com/security/notices/USN-900-1
www.cve.org/CVERecord?id=CVE-2009-1904
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.025 Low
EPSS
Percentile
90.0%