Sha256: 523615e62c7fa9c6d9d8ed78b81b2410329357c6c5b5362077b90442f2f98f92

Contents?: true

Size: 746 Bytes

Versions: 3

Compression:

Stored size: 746 Bytes

Contents

---
engine: ruby
cve: 2018-8778
url: https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
title: Buffer under-read in String#unpack
date: 2018-03-28
description: |
  `String#unpack` receives format specifiers as its parameter, and can be
  specified the position of parsing the data by the specifier `@`. If a big
  number is passed with `@`, the number is treated as the negative value, and
  out-of-buffer read is occurred. So, if a script accepts an external input as
  the argument of `String#unpack`, the attacker can read data on heaps.

  All users running an affected release should upgrade immediately.
patched_versions:
  - "~> 2.2.10"
  - "~> 2.3.7"
  - "~> 2.4.4"
  - "~> 2.5.1"
  - "> 2.6.0-preview1"

Version data entries

3 entries across 3 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/rubies/ruby/CVE-2018-8778.yml
bundler-budit-0.6.2 data/ruby-advisory-db/rubies/ruby/CVE-2018-8778.yml
bundler-budit-0.6.1 data/ruby-advisory-db/rubies/ruby/CVE-2018-8778.yml