Heap Overflow in Floating Point Parsing (CVE-2013-4164)

Posted by tenderlove on 22 Nov 2013

There is an overflow in floating point number parsing in Ruby. This vulnerability has been assigned the CVE identifier CVE-2013-4164.

Details

Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable.

Vulnerable code looks something like this:

untrusted_data.to_f

But any code that produces floating point values from external data is vulnerable, such as this:

JSON.parse untrusted_data

Note that this bug is similar to CVE-2009-0689.

All users running an affected release should upgrade to the FIXED versions of Ruby.

Affected versions

• All Ruby 1.8 versions after Ruby 1.8.6 patchlevel 230
• All Ruby 1.9 versions prior to Ruby 1.9.3 patchlevel 484
• All Ruby 2.0 versions prior to Ruby 2.0.0 patchlevel 353
• All Ruby 2.1 versions prior to Ruby 2.1.0 preview2
• prior to trunk revision 43780

Solutions

All users are recommended to upgrade to Ruby 1.9.3 patchlevel 484, Ruby 2.0.0 patchlevel 353 or Ruby 2.1.0 preview2.

Please note that Ruby 1.8 series or any earlier releases are already obsoleted. There is no plan to release new FIXED versions for them. Users of such versions are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thanks to Charlie Somerville for reporting this issue!

History

• Originally published at 2013-11-22 04:00:00 UTC
• Secondary published at 2013-11-22 06:46:00 UTC
• Thirdly published at 2013-11-22 22:46:00 UTC
• Fourthly published at 2013-12-10 12:09:38 UTC