22 Nov '13, 5am

Heap Overflow in Floating Point Parsing (CVE-2013-4164)

Heap Overflow in Floating Point Parsing (CVE-2013-4164) There is an overflow in floating point number parsing in Ruby. This vulnerability has been assigned the CVE identifier CVE-2013-4164. Details Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable. Vulnerable code looks something like this: untrusted_data.to_f But any code that produces floating point values from external data is vulnerable, such as this: JSON.parse untrusted_data Note that this bug is similar to CVE-2009-0689. All users running an affected release should upgrade to the FIXED versions of ruby. Affected versions A...

Full article: https://www.ruby-lang.org/en/news/2013/11/22/heap-overflo...

Tweets

Floating Golf Course

Floating Golf Course

fubiz.net 26 Nov '13, 5pm

Depuis 1991, il est possible pour les golfeurs en visite dans l’Idaho de jouer dans un cadre idyllique, et notamment avec,...

Big boost for UK offshore wind, as floating turbine plans move forward

Big boost for UK offshore wind, as floating tur...

businessgreen.com 25 Nov '13, 9am

A floating windfarm, which ministers hope could hold the key to cutting the cost of renewable energy, has been given the g...

Heap Seng Leong Coffeeshop: And Time Stood Still

ieatishootipost.sg 26 Nov '13, 2am

Kopi Gu You (Coffee with Butter) Coffeeshops like Heap Seng Leong might be a distant memory for some and stuff of legend f...

Floating pitch, Singapore

twitter.com 02 Dec '13, 2pm

To bring you Twitter, we and our partners use cookies on our and other websites. Cookies help personalize Twitter content,...