CVE-2016-2339

Published: 1/6/2017 Last updated: 8/5/2024 Reserved: 2/12/2016

An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.

CNA assigner: certcc (37e5125f-f79b-445b-8fad-9564f167944b) Requested by: n/a

Opam packages affected (1)

conf-ruby

Products affected (1)

Product	Vendor	Version
Ruby	Ruby	<= 2021

References (6)

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
http://www.securityfocus.com/bid/91234
http://www.talosintelligence.com/reports/TALOS-2016-0034/
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
http://www.securityfocus.com/bid/91234
http://www.talosintelligence.com/reports/TALOS-2016-0034/