CVE-2017-0898

Priority
Medium
Description
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format
string which contains a precious specifier (*) with a huge minus value.
Such situation can lead to a buffer overrun, resulting in a heap memory
corruption or an information disclosure from the heap.
References
Bugs
Notes
 mdeslaur> backported patch in debian (2.3.3-1+deb9u2) package
Package
Upstream:released (2.3.5)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 17.10 (Artful Aardvark):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2.3.5-1ubuntu4)
Patches:
Patch:https://github.com/mruby/mruby/commit/f0abd4241f2a8087db4c460cf4b1f531c17c1404
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (1.9.3.484-2ubuntu1.5)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
More Information

Updated: 2018-02-01 19:14:16 UTC (commit 14116)