Ubuntu
ruby1.8 package

Precise vulnerable to hash collision DoS

Bug #943451 reported by Tyler Hicks
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ruby1.8 (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

From Mitre's CVE-2011-4815 description:

"Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. "

Precise's ruby1.8 package is at version 1.8.7.352-2. Debian testing and unstable are both currently unpatched at 1.8.7.352-2, too.

CVE References

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Debdiff based on upstream fix.

Changed in ruby1.8 (Ubuntu):
status: New → Confirmed
visibility: private → public
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.7.352-2ubuntu1

---------------
ruby1.8 (1.8.7.352-2ubuntu1) precise; urgency=low

  * SECURITY UPDATE: Denial of service via crafted hash table keys
    (LP: #943451)
    - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
      algorithm to prevent predictable results when inserting objects into a
      hash table. Based on upstream patch.
    - CVE-2011-4815
 -- Tyler Hicks <email address hidden> Wed, 29 Feb 2012 12:11:48 -0600

Changed in ruby1.8 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.