Source: ruby2.3 Version: 2.3.3-1 Severity: grave Tags: upstream patch security
Hi, the following vulnerability was published for ruby2.3. CVE-2017-14064[0]: | Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can | expose arbitrary memory during a JSON.generate call. The issues lies in | using strdup in ext/json/ext/generator/generator.c, which will stop | after encountering a '\0' byte, returning a pointer to a string of | length zero, which is not the length stored in space_len. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14064 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064 [1] https://bugs.ruby-lang.org/issues/13853 [2] https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85 Regards, Salvatore
