---
engine: ruby
cve: 2018-8778
url: https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
title: Buffer under-read in String#unpack
date: 2018-03-28
description: |
  `String#unpack` receives format specifiers as its parameter, and can be
  specified the position of parsing the data by the specifier `@`. If a big
  number is passed with `@`, the number is treated as the negative value, and
  out-of-buffer read is occurred. So, if a script accepts an external input as
  the argument of `String#unpack`, the attacker can read data on heaps.

  All users running an affected release should upgrade immediately.
patched_versions:
  - "~> 2.2.10"
  - "~> 2.3.7"
  - "~> 2.4.4"
  - "~> 2.5.1"
  - "> 2.6.0-preview1"