what you don't know can hurt you
Showing 1 - 7 of 7 RSS Feed

CVE-2014-4975

Status Candidate

Overview

Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow.

Related Files

Mandriva Linux Security Advisory 2015-129
Posted Mar 30, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-129 - Due to unrestricted entity expansion, when reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service. Will Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. Due to an incomplete fix for 100% CPU utilization can occur as a result of recursive expansion with an empty String. When reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.

tags | advisory, denial of service, arbitrary, ruby
systems | linux, mandriva
advisories | CVE-2014-4975, CVE-2014-8080, CVE-2014-8090
MD5 | 3e6643692ef3f8dbc26a63d36acc5a9d
Debian Security Advisory 3157-1
Posted Feb 9, 2015
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3157-1 - Multiple vulnerabilities were discovered in the interpreter for the Ruby language.

tags | advisory, vulnerability, ruby
systems | linux, debian
advisories | CVE-2014-4975, CVE-2014-8080, CVE-2014-8090
MD5 | d73d81cf5b01b893dcb17767e9195800
Red Hat Security Advisory 2014-1914-01
Posted Nov 27, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1914-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. A stack-based buffer overflow was found in the implementation of the Ruby Array pack() method. When performing base64 encoding, a single byte could be written past the end of the buffer, possibly causing Ruby to crash.

tags | advisory, denial of service, overflow, ruby
systems | linux, redhat
advisories | CVE-2014-4975, CVE-2014-8080, CVE-2014-8090
MD5 | 0eb8d46493dde6ab962a9c6cea3a9e40
Red Hat Security Advisory 2014-1913-01
Posted Nov 27, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1913-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. A stack-based buffer overflow was found in the implementation of the Ruby Array pack() method. When performing base64 encoding, a single byte could be written past the end of the buffer, possibly causing Ruby to crash.

tags | advisory, denial of service, overflow, ruby
systems | linux, redhat
advisories | CVE-2014-4975, CVE-2014-8080, CVE-2014-8090
MD5 | 32dd5b679d826a9757290e0883176953
Red Hat Security Advisory 2014-1912-01
Posted Nov 27, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1912-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. A stack-based buffer overflow was found in the implementation of the Ruby Array pack() method. When performing base64 encoding, a single byte could be written past the end of the buffer, possibly causing Ruby to crash.

tags | advisory, denial of service, overflow, ruby
systems | linux, redhat
advisories | CVE-2014-4975, CVE-2014-8080, CVE-2014-8090
MD5 | 3274bc2cc840ebddceee2bcc8fabdb99
Mandriva Linux Security Advisory 2014-225
Posted Nov 25, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-225 - Will Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. Due to an incomplete fix for 100% CPU utilization can occur as a result of recursive expansion with an empty String. When reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service. Additionally ruby has been upgraded to patch level 374.

tags | advisory, denial of service, arbitrary, ruby
systems | linux, mandriva
advisories | CVE-2014-4975, CVE-2014-8090
MD5 | 679bee3b160eb6f558e7b9cd53beb824
Ubuntu Security Notice USN-2397-1
Posted Nov 4, 2014
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2397-1 - Will Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. Willis Vandevanter discovered that Ruby incorrectly handled XML entity expansion. An attacker could use this flaw to cause Ruby to consume large amounts of resources, resulting in a denial of service. Various other issues were also addressed.

tags | advisory, denial of service, arbitrary, ruby
systems | linux, ubuntu
advisories | CVE-2014-4975, CVE-2014-8080
MD5 | 8ac610ac17e23a5965e32f8ec98a58fc
Page 1 of 1
Back1Next

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close