Heap overflow in String (CVE-2009-4124)

Posted by Yugui on 7 Dec 2009

There is a heap overflow vulnerability in String#ljust, String#center and String#rjust. This has allowed an attacker to run arbitrary code in some rare cases.

CVE-2009-4124

Vulnerable versions

All releases of Ruby 1.9.1.

This vulnerability does not affect Ruby 1.8 series.

Solution

Please upgrade to Ruby 1.9.1-p376.

<URL:https://cache.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p376.tar.bz2>

Credit

Credit to Emmanouel Kellinis, KPMG London for disclosing the problem to Ruby Security team.

Changes

2009-12-07 14:52 +0900 add link to CVE (but not opened yet when writing this page)

Recent News

Ruby 3.2.10 Released

Ruby 3.2.10 has been released.

Posted by hsbt on 14 Jan 2026

Ruby 4.0.1 Released

Ruby 4.0.1 has been released.

Posted by k0kubun on 13 Jan 2026

Ruby 4.0.0 Released

We are pleased to announce the release of Ruby 4.0.0. Ruby 4.0 introduces “Ruby Box” and “ZJIT”, and adds many improvements.

Posted by naruse on 25 Dec 2025

A New Look for Ruby's Documentation

Following the ruby-lang.org redesign, we have more news to celebrate Ruby’s 30th anniversary: docs.ruby-lang.org has a completely new look with Aliki—RDoc’s new default theme.

Posted by Stan Lo on 23 Dec 2025

More News...

News