Clod81

Name of the Vulnerable Software and Affected Versions: Ox gem version 2.8.1 Description: The issue is related to a stack-based buffer over-read in the `read from str` function in `sax buf.c` when a crafted input is supplied to `sax parse`. This can cause the process to crash. Recommendations: For Ox gem version 2.8.1, consider avoiding the use of the `sax parse` function with crafted inputs until a patch is available. As a temporary workaround, restrict the input supplied to `sax parse` to prevent potential crashes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** yajl-ruby gem version 1.3.0 **Description** The issue is related to insufficient processing of a format string in the yajl string decode function of the yajl encode.c component in the YAJL-ruby JSON library. When a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT, resulting in the termination of the ruby process and potentially a denial of service. **Recommendations** For yajl-ruby gem version 1.3.0, consider avoiding the use of the Yajl::Parser.new.parse function with untrusted JSON files until a patch is available. As a temporary workaround, restrict the input to this function to prevent the exploitation of this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ox gem version 2.8.0 **Description** The Ox gem for Ruby crashes with a segmentation fault when a crafted input is supplied to the `parse obj` function. The vendor has stated that Ox should handle the error more gracefully but has not confirmed a security implication. **Recommendations** For Ox gem version 2.8.0, consider disabling the `parse obj` function until a more robust error handling mechanism is implemented to prevent the process from crashing with a segmentation fault when supplied with crafted input.

**Name of the Vulnerable Software and Affected Versions** Ccsv version 1.1.0 **Description** The issue allows remote attackers to cause a denial of service, resulting in a double free and application crash, or possibly have other unspecified impacts via a crafted file. This is related to the `foreach` function in `ext/ccsv.c`. However, it is noted that the presence of this issue in version 1.1.0 has been disputed. **Recommendations** For version 1.1.0, consider avoiding the use of the `foreach` function in `ext/ccsv.c` until the dispute regarding its presence is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.