CVE-2017-0898 (retired)

Priority
Description
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format
string which contains a precious specifier (*) with a huge minus value.
Such situation can lead to a buffer overrun, resulting in a heap memory
corruption or an information disclosure from the heap.
Notes
 mdeslaur> backported patch in debian (2.3.3-1+deb9u2) package
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (1.9.3.484-2ubuntu1.5)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (2.0.0.484-1ubuntu2.10)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Package
Upstream:released (2.3.5)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (2.3.1-2~16.04.10)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Patches:
Other:https://github.com/mruby/mruby/commit/f0abd4241f2a8087db4c460cf4b1f531c17c1404
More Information

Updated: 2019-03-26 12:24:12 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)