Heap overflow in String (CVE-2009-4124)

Posted by Yugui on 7 Dec 2009

There is a heap overflow vulnerability in String#ljust, String#center and String#rjust. This has allowed an attacker to run arbitrary code in some rare cases.

CVE-2009-4124

Vulnerable versions

All releases of Ruby 1.9.1.

This vulnerability does not affect Ruby 1.8 series.

Solution

Please upgrade to Ruby 1.9.1-p376.

<URL:https://cache.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p376.tar.bz2>

Credit

Credit to Emmanouel Kellinis, KPMG London for disclosing the problem to Ruby Security team.

Changes

2009-12-07 14:52 +0900 add link to CVE (but not opened yet when writing this page)

Recent News

Ruby 4.0.0 Released

We are pleased to announce the release of Ruby 4.0.0. Ruby 4.0 introduces “Ruby Box” and “ZJIT”, and adds many improvements.

Posted by naruse on 25 Dec 2025

A New Look for Ruby's Documentation

Following the ruby-lang.org redesign, we have more news to celebrate Ruby’s 30th anniversary: docs.ruby-lang.org has a completely new look with Aliki—RDoc’s new default theme.

Posted by Stan Lo on 23 Dec 2025

Redesign our Site Identity

We are excited to announce a comprehensive redesign of our site. The design for this update was created by Taeko Akatsuka.

Posted by Hiroshi SHIBATA on 22 Dec 2025

Ruby 4.0.0 preview3 Released

We are pleased to announce the release of Ruby 4.0.0-preview3. Ruby 4.0 introduces Ruby::Box and “ZJIT”, and adds many improvements.

Posted by naruse on 18 Dec 2025

More News...

News