Heap overflow in String (CVE-2009-4124)

Posted by Yugui on 7 Dec 2009

There is a heap overflow vulnerability in String#ljust, String#center and String#rjust. This has allowed an attacker to run arbitrary code in some rare cases.

CVE-2009-4124

Vulnerable versions

All releases of Ruby 1.9.1.

This vulnerability does not affect Ruby 1.8 series.

Solution

Please upgrade to Ruby 1.9.1-p376.

<URL:https://cache.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p376.tar.bz2>

Credit

Credit to Emmanouel Kellinis, KPMG London for disclosing the problem to Ruby Security team.

Changes

2009-12-07 14:52 +0900 add link to CVE (but not opened yet when writing this page)

Recent News

Ruby 4.0.5 Released

Ruby 4.0.5 has been released.

Posted by k0kubun on 20 May 2026

Ruby 4.0.4 Released

Ruby 4.0.4 has been released.

Posted by k0kubun on 11 May 2026

Ruby 4.0.3 Released

Ruby 4.0.3 has been released.

Posted by k0kubun on 21 Apr 2026

Ruby 3.2.11 Released

Ruby 3.2.11 has been released. This release includes an update to the zlib gem addressing CVE-2026-27820.

Posted by hsbt on 27 Mar 2026

More News...

News