Heap overflow in String (CVE-2009-4124)

There is a heap overflow vulnerability in String#ljust, String#center and String#rjust. This has allowed an attacker to run arbitrary code in some rare cases.

Vulnerable versions

  • All releases of Ruby 1.9.1.

This vulnerability does not affect Ruby 1.8 series.

Solution

Please upgrade to Ruby 1.9.1-p376.

Credit

Credit to Emmanouel Kellinis, KPMG London for disclosing the problem to Ruby Security team.

Changes

  • 2009-12-07 14:52 +0900 add link to CVE (but not opened yet when writing this page)