CVE-2008-2664 — Integer Overflow or Wraparound in Ruby

CWE-190 — Integer Overflow or Wraparound9 documents6 sources

Severity

7.8HIGHNVD

CNA10.0

EPSS

6.3%

top 9.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Ruby Canonical Ubuntu Linux Debian Linux

Timeline

PublishedJun 24

Latest updateMay 1

Description

The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although i…

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages1 packages

▶NVDruby-lang/ruby1.8.6 — 1.8.6.230+4

Also affects: Debian Linux 4.0, Ubuntu Linux 6.06, 7.04, 7.10, 8.04

Patches

Patch: www.ruby-lang.org ↗Patch: www.ruby-lang.org ↗

🔴Vulnerability Details

GHSA

GHSA-c4h6-p7gp-39x2: The rb_str_format function in Ruby 1↗2022-05-01

▶

CVEList

CVE-2008-2664: The rb_str_format function in Ruby 1↗2008-06-24

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2008-06-26

▶

Red Hat

ruby: Unsafe use of alloca in rb_str_format()↗2008-06-20

▶

Red Hat

ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N↗2008-06-20

▶

Red Hat

ruby: Integer overflows in rb_str_buf_append()↗2008-06-20

▶

Red Hat

ruby: Integer overflows in rb_ary_store()↗2008-06-20

▶

💬Community

Bugzilla

CVE-2008-2664 ruby: Unsafe use of alloca in rb_str_format()↗2008-06-11

▶