A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.
ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.
An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as:
- 1.8.6-p368 and all prior versions
- 1.8.7-p160 and all prior versions
- All 1.9.1 versions are not affected by this issue
Please upgrade to 1.8.6-p369 or ruby-1.8.7-p174.
- Ruby 1.8.7-p173 had a problem. If you have already downloaded it, please get a newer one. Ruby 1.8.6-p369 do not have this bug.
Posted by Urabe Shyouhei on 9 Jun 2009