CVE-2017-0898 in Ubuntu

CVE-2017-0898

Priority

Description

Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format
string which contains a precious specifier (*) with a huge minus value.
Such situation can lead to a buffer overrun, resulting in a heap memory
corruption or an information disclosure from the heap.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898
https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/
http://www.securitytracker.com/id/1039363
https://hackerone.com/reports/212241
https://ubuntu.com/security/notices/USN-3439-1
https://ubuntu.com/security/notices/USN-3685-1

Bugs

https://github.com/mruby/mruby/issues/3722
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875936

Notes

mdeslaur

backported patch in debian (2.3.3-1+deb9u2) package

Package

Source: ruby1.9.1 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was released [1.9.3.484-2ubuntu1.5])

Patches:

Package

Source: ruby2.0 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was released [2.0.0.484-1ubuntu2.10])

Patches:

Package

Source: ruby2.3 (LP Ubuntu Debian)

Upstream:	released (2.3.5)
Ubuntu 18.04 LTS:	DNE
Ubuntu 16.04 ESM:	released (2.3.1-2~16.04.10)
Ubuntu 14.04 ESM:	DNE

Patches:

Other:

https://github.com/mruby/mruby/commit/f0abd4241f2a8087db4c460cf4b1f531c17c1404

More Information

Updated: 2022-04-13 12:51:14 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)