CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives

In Array#pack and String#unpack with some formats, the tainted flags of the original data are not propagated to the returned string/array. This vulnerability has been assigned the CVE identifier CVE-2018-16396.


The Array#pack method converts the receiver’s contents into a string with a specified format. If the receiver contains some tainted objects, the returned string also should be tainted. The String#unpack method which converts the receiver into an array also should propagate its tainted flag to the objects contained in the returned array. But, with the B, b, H, and h directives, the tainted flags are not propagated. So, if a script processes unreliable inputs by Array#pack and/or String#unpack with these directives and checks the reliability with tainted flags, the check might be wrong.

All users running an affected release should upgrade immediately.

Affected Versions

  • Ruby 2.3 series: 2.3.7 and earlier
  • Ruby 2.4 series: 2.4.4 and earlier
  • Ruby 2.5 series: 2.5.1 and earlier
  • Ruby 2.6 series: 2.6.0-preview2 and earlier
  • prior to trunk revision r65125


Thanks to Chris Seaton for reporting the issue.


  • Originally published at 2018-10-17 14:00:00 (UTC)