CVE-2009-1904

2009-06-11 23:30:00 2017-09-29 03:34:38

The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

NONE

Integrity

NONE

Availability

PARTIAL

ruby-lang Ruby 1.8.7 Ruby-lang Ruby 1.8.6 (not an official CPE)

Ruby-lang - Ruby

Advisory	Patch	Confirmed	Link
			ruby-bigdecimal-dos(51032)
			FEDORA-2009-13066
			https://bugs.launchpad.net/bugs/cve/2009-1904
			ADV-2009-1563
			https://bugs.launchpad.net/bugs/385436
			35278
			1022371
			USN-805-1
			http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerab...
			RHSA-2009:1140
			http://www.ruby-forum.com/topic/189071
			MDVSA-2009:160
			http://support.apple.com/kb/HT4077
			http://weblog.rubyonrails.org/2009/6/10/dos-vulnerabilit...
			GLSA-200906-02
			SSA:2009-170-02
			http://redmine.ruby-lang.org/issues/show/794
			[pkgsrc-changes] 20090610 CVS commit: pkgsrc/lang/ruby18...
			[rubyonrails-security] 20090610 DoS Vulnerability in Rub...
			APPLE-SA-2010-03-29-1
			http://bugs.gentoo.org/show_bug.cgi?id=273213
			http://github.com/NZKoz/bigdecimal-segfault-fix/tree/mas...
			http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532689

CVE-2009-1904

2009-06-11 23:30:00 2017-09-29 03:34:38

Vector

Complexity

Authentication

Confidentiality

Integrity

Availability

Numeric Errors (ID 189)