CVE-2009-4124
Published: 11 December 2009
Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1) String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of these details are obtained from third party information.
Notes
Author | Note |
---|---|
mdeslaur | upstream says 1.8 is not affected |
Priority
Status
Package | Release | Status |
---|---|---|
ruby1.8 Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
|
hardy |
Not vulnerable
|
|
intrepid |
Not vulnerable
|
|
jaunty |
Not vulnerable
|
|
karmic |
Not vulnerable
|
|
lucid |
Not vulnerable
|
|
maverick |
Not vulnerable
|
|
natty |
Not vulnerable
|
|
oneiric |
Not vulnerable
|
|
upstream |
Needs triage
|
|
ruby1.9 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Released
(1.9.0.2-7ubuntu1.3)
|
|
jaunty |
Released
(1.9.0.2-9ubuntu1.2)
|
|
karmic |
Released
(1.9.0.5-1ubuntu1.2)
|
|
lucid |
Released
(1.9.0.5-1ubuntu2)
|
|
maverick |
Does not exist
(pulled 2010-07-27)
|
|
natty |
Does not exist
(pulled 2010-07-27)
|
|
oneiric |
Does not exist
(pulled 2010-07-27)
|
|
upstream |
Needed
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
intrepid |
Does not exist
|
|
jaunty |
Does not exist
|
|
karmic |
Ignored
(end of life)
|
|
lucid |
Not vulnerable
(1.9.1.376-1)
|
|
maverick |
Not vulnerable
(1.9.1.376-1)
|
|
natty |
Not vulnerable
(1.9.1.376-1)
|
|
oneiric |
Not vulnerable
(1.9.1.376-1)
|
|
upstream |
Released
(1.9.1.376)
|
|
Patches: upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=26038 upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=26568 |