Denial of service and the potential execution of arbitrary code in most versions of Ruby
Greetings dear ruby community.
It is strange that this news is not yet available on Habré, but yesterday morning Ruby developers reported a heap overflow found while parsing floating-point values. The vulnerability was assigned the code CVE-2013-4164. They also warn that this error can cause at least a denial of service, but with a certain degree of probability you can embed arbitrary code in Ruby applications.
List of vulnerable versions:
Details in the official post are quite scarce. It says that when converting a string to a floating point value, a specially crafted string can cause heap overflow, which in turn can lead to a denial of service and the possible execution of arbitrary code. Vulnerable are all programs that use this conversion. The most common example is taking and parsing JSON from third sources.
')
Vulnerable code might look like this:
However, any code that creates floating-point values from external sources is vulnerable, for example:
Developers recommend upgrading to ruby 1.9.3 patchlevel 484, ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2. Version 1.8 is outdated and fixes are not planned . Users of ruby 1.8 are encouraged to upgrade to more recent versions.
UPD: Only Ruby MRIs are vulnerable. Rubinius and JRuby it does not affect.
It is strange that this news is not yet available on Habré, but yesterday morning Ruby developers reported a heap overflow found while parsing floating-point values. The vulnerability was assigned the code CVE-2013-4164. They also warn that this error can cause at least a denial of service, but with a certain degree of probability you can embed arbitrary code in Ruby applications.
List of vulnerable versions:
- All versions of ruby 1.8
- All versions of ruby 1.9 up to 1.9.3 patchlevel 484
- All versions of ruby 2.0 up to 2.0.0 patchlevel 353
- All versions of ruby 2.1 up to 2.1.0 preview2
- All versions in trunk before revision 43780
Vulnerability Details
Details in the official post are quite scarce. It says that when converting a string to a floating point value, a specially crafted string can cause heap overflow, which in turn can lead to a denial of service and the possible execution of arbitrary code. Vulnerable are all programs that use this conversion. The most common example is taking and parsing JSON from third sources.
')
Vulnerable code might look like this:
untrusted_data.to_f However, any code that creates floating-point values from external sources is vulnerable, for example:
JSON.parse untrusted_data Decision
Developers recommend upgrading to ruby 1.9.3 patchlevel 484, ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2. Version 1.8 is outdated and fixes are not planned . Users of ruby 1.8 are encouraged to upgrade to more recent versions.
UPD: Only Ruby MRIs are vulnerable. Rubinius and JRuby it does not affect.
Source: https://habr.com/ru/post/196298/
All Articles