CVE-2013-4164

Name of the Vulnerable Software and Affected Versions Ruby versions 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2

Description A heap-based buffer overflow issue allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a string that is converted to a floating point value. This can be demonstrated using the to f method or JSON.parse.

Recommendations For Ruby version 1.8, update to a version that is not affected by this issue. For Ruby version 1.9 before 1.9.3-p484, update to version 1.9.3-p484 or later. For Ruby version 2.0 before 2.0.0-p353, update to version 2.0.0-p353 or later. For Ruby version 2.1 before 2.1.0 preview2, update to version 2.1.0 preview2 or later. As a temporary workaround, consider restricting the use of the to f method and JSON.parse function until a patch is available.