DoS vulnerability in BigDecimal

A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.

Impact

An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as:

BigDecimal("9E69999999").to_s("F")

Vulnerable versions

1.8 series

  • 1.8.6-p368 and all prior versions
  • 1.8.7-p160 and all prior versions

1.9 series

  • All 1.9.1 versions are not affected by this issue

Solution

1.8 series

Please upgrade to 1.8.6-p369 or ruby-1.8.7-p174.

Updates

  • Ruby 1.8.7-p173 had a problem. If you have already downloaded it, please get a newer one. Ruby 1.8.6-p369 do not have this bug.