First published: Fri Jan 06 2017(Updated: )
An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.
Credit: cret@cert.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/ruby2.1 | ||
Ruby | =2.2.2 | |
Ruby | =2.3.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-2339 is considered a critical vulnerability due to its potential for remote code execution.
To fix CVE-2016-2339, upgrade Ruby to a version where the vulnerability is patched, specifically Ruby 2.4.0 or later.
CVE-2016-2339 affects Ruby versions 2.2.2 and 2.3.0.
An attacker can exploit CVE-2016-2339 through specially crafted inputs sent to the Fiddle::Function.new function.
As of the latest updates, CVE-2016-2339 has been recognized for potential exploitation but requires specific conditions to be successful.