PublicDateAtUSN: 2017-01-06
Candidate: CVE-2016-2339
PublicDate: 2017-01-06 21:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2339
 http://www.talosintelligence.com/reports/TALOS-2016-0034/
 https://ubuntu.com/security/notices/USN-3365-1
Description:
 An exploitable heap overflow vulnerability exists in the
 Fiddle::Function.new "initialize" function functionality of Ruby. In
 Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is
 made based on args array length. Specially constructed object passed as
 element of args array can increase this array size after mentioned
 allocation and cause heap overflow.
Ubuntu-Description:
Notes:
 mdeslaur> 2.3.0 and later not affected
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851161
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_ruby1.8:
upstream_ruby1.8: needs-triage
precise_ruby1.8: ignored (reached end-of-life)
precise/esm_ruby1.8: DNE (precise was needed)
trusty_ruby1.8: DNE
trusty/esm_ruby1.8: DNE
vivid/ubuntu-core_ruby1.8: DNE
vivid/stable-phone-overlay_ruby1.8: DNE
xenial_ruby1.8: DNE
yakkety_ruby1.8: DNE
zesty_ruby1.8: DNE
devel_ruby1.8: DNE

Patches_ruby1.9.1:
 upstream: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42
upstream_ruby1.9.1: needs-triage
precise_ruby1.9.1: ignored (reached end-of-life)
precise/esm_ruby1.9.1: DNE (precise was needed)
trusty_ruby1.9.1: released (1.9.3.484-2ubuntu1.3)
trusty/esm_ruby1.9.1: DNE (trusty was released [1.9.3.484-2ubuntu1.3])
vivid/ubuntu-core_ruby1.9.1: DNE
vivid/stable-phone-overlay_ruby1.9.1: DNE
xenial_ruby1.9.1: DNE
yakkety_ruby1.9.1: DNE
zesty_ruby1.9.1: DNE
devel_ruby1.9.1: DNE

Patches_ruby2.0:
upstream_ruby2.0: needs-triage
precise_ruby2.0: DNE
precise/esm_ruby2.0: DNE
trusty_ruby2.0: released (2.0.0.484-1ubuntu2.4)
trusty/esm_ruby2.0: DNE (trusty was released [2.0.0.484-1ubuntu2.4])
vivid/ubuntu-core_ruby2.0: DNE
vivid/stable-phone-overlay_ruby2.0: DNE
xenial_ruby2.0: DNE
yakkety_ruby2.0: DNE
zesty_ruby2.0: DNE
devel_ruby2.0: DNE

Patches_ruby2.3:
upstream_ruby2.3: needs-triage
precise_ruby2.3: DNE
precise/esm_ruby2.3: DNE
trusty_ruby2.3: DNE
trusty/esm_ruby2.3: DNE
vivid/ubuntu-core_ruby2.3: DNE
vivid/stable-phone-overlay_ruby2.3: DNE
xenial_ruby2.3: not-affected (2.3.1-2~16.04)
esm-infra/xenial_ruby2.3: not-affected (2.3.1-2~16.04)
yakkety_ruby2.3: not-affected (2.3.1-5build2)
zesty_ruby2.3: not-affected (2.3.3-1)
devel_ruby2.3: not-affected (2.3.3-1)