製品・ソフトウェアに関する情報

JVN脆弱性詳細

Ruby の BigDecimal ライブラリにおけるサービス運用妨害 (DoS) の脆弱性

Title	Ruby の BigDecimal ライブラリにおけるサービス運用妨害 (DoS) の脆弱性
Summary	Ruby の BigDecimal ライブラリには、大きな数を表す文字列の引数処理に不備があるため、サービス運用妨害 (DoS) 状態となる脆弱性が存在します。
Possible impacts	第三者により、サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 9, 2009, midnight
Registration Date	Aug. 14, 2009, 11:04 a.m.
Last Update	April 26, 2010, 4:46 p.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected System

レッドハット

Red Hat Enterprise Linux 4 (as)

Red Hat Enterprise Linux 4 (es)

Red Hat Enterprise Linux 4 (ws)

Red Hat Enterprise Linux 4.8 (as)

Red Hat Enterprise Linux 4.8 (es)

Red Hat Enterprise Linux 5 (server)

Red Hat Enterprise Linux Desktop 4.0

Red Hat Enterprise Linux Desktop 5.0 (client)

Red Hat Enterprise Linux EUS 5.3.z (server)

RHEL Desktop Workstation 5 (client)

サイバートラスト株式会社

Asianux Server 3 (x86)

Asianux Server 3 (x86-64)

Asianux Server 4.0

Asianux Server 4.0 (x86-64)

アップル

Apple Mac OS X v10.5.8

Apple Mac OS X v10.6 から v10.6.2

Apple Mac OS X Server v10.5.8

Apple Mac OS X Server v10.6 から v10.6.2

Ruby-lang.org

Ruby 1.8.6 p369 未満

Ruby 1.8.7 p173 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-1904	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1904
National Vulnerability Database (NVD)
2	CVE-2009-1904	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1904

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-189	https://jvndb.jvn.jp/ja/cwe/CWE-189.html

ベンダー情報

No	Name	URL
Apple Security Updates
1	HT4077	http://support.apple.com/kb/HT4077
Apple セキュリティアップデート
2	HT4077	http://support.apple.com/kb/HT4077?viewlocale=ja_JP
Asianux Technical Support Network
3	ruby-1.8.5-5.7.1AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=452
MIRACLE LINUX アップデート情報
4	1746	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=1746
Red Hat Security Advisory
5	RHSA-2009:1140	https://rhn.redhat.com/errata/RHSA-2009-1140.html
オブジェクト指向言語Ruby
6	BigDecimal の DoS 脆弱性	http://www.ruby-lang.org/ja/news/2009/06/10/dos-vulnerability-in-bigdecimal/
7	DoS vulnerability in BigDecimal	http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
レッドハットセキュリティーアップデート
8	RHSA-2009:1140	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1140J.html

その他

No	Name	URL
ISS X-Force Database
1	51032	http://xforce.iss.net/xforce/xfdb/51032
OPEN SOURCE VULNERABILITY DATABASE (OSVDB)
2	55031	http://osvdb.org/55031
Secunia Advisory
3	SA35399	http://secunia.com/advisories/35399
4	SA35699	http://secunia.com/advisories/35699
SecurityFocus
5	35278	http://www.securityfocus.com/bid/35278
SecurityTracker
6	1022371	http://www.securitytracker.com/id?1022371
VUPEN Security
7	VUPEN/ADV-2009-1563	http://www.vupen.com/english/advisories/2009/1563

Change Log

No	Changed Details	Date of change
0	[2009年08月14日] 掲載 [2010年04月26日] 影響を受けるシステム：アップル (HT4077) の情報を追加ベンダ情報：アップル (HT4077) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-1904

Summary	The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.
Summary	La librería BigDecimal en Ruby v1.8.6 anteriores p369 y v1.8.7, anteriores a p173 permite a los atacantes dependientes del contexto causar una denegación de servicio (caída de la aplicación) a través de un argumento de cadena de caracteres que representa un número largo, como se demuestra por un intento de conversión al tipo de dato Float.
Publication Date	June 12, 2009, 6:30 a.m.
Registration Date	Jan. 29, 2021, 1:19 p.m.
Last Update	April 23, 2026, 9:35 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ruby-lang:ruby:1.8.6:::::::*
cpe:2.3:a:ruby-lang:ruby:1.8.7:::::::*

Related information, measures and tools

No	URL	refsource
1	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532689	cve@mitre.org
2	http://bugs.gentoo.org/show_bug.cgi?id=273213	cve@mitre.org
3	http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master	cve@mitre.org
4	http://groups.google.com/group/rubyonrails-security/msg/fad60751e2b9b4f6?dmode=source	cve@mitre.org
5	http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html	cve@mitre.org
6	http://mail-index.netbsd.org/pkgsrc-changes/2009/06/10/msg024708.html	cve@mitre.org
7	http://osvdb.org/55031	cve@mitre.org
8	http://redmine.ruby-lang.org/issues/show/794	cve@mitre.org
9	http://secunia.com/advisories/35399	cve@mitre.org
10	http://secunia.com/advisories/35527	cve@mitre.org
11	http://secunia.com/advisories/35593	cve@mitre.org
12	http://secunia.com/advisories/35699	cve@mitre.org
13	http://secunia.com/advisories/35937	cve@mitre.org
14	http://secunia.com/advisories/37705	cve@mitre.org
15	http://security.gentoo.org/glsa/glsa-200906-02.xml	cve@mitre.org
16	http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.430805	cve@mitre.org
17	http://support.apple.com/kb/HT4077	cve@mitre.org
18	http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby/	cve@mitre.org
19	http://www.mandriva.com/security/advisories?name=MDVSA-2009:160	cve@mitre.org
20	http://www.redhat.com/support/errata/RHSA-2009-1140.html	cve@mitre.org
21	http://www.ruby-forum.com/topic/189071	cve@mitre.org
22	http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/	cve@mitre.org
23	http://www.securityfocus.com/bid/35278	cve@mitre.org
24	http://www.securitytracker.com/id?1022371	cve@mitre.org
25	http://www.ubuntu.com/usn/USN-805-1	cve@mitre.org
26	http://www.vupen.com/english/advisories/2009/1563	cve@mitre.org
27	https://bugs.launchpad.net/bugs/385436	cve@mitre.org
28	https://bugs.launchpad.net/bugs/cve/2009-1904	cve@mitre.org
29	https://exchange.xforce.ibmcloud.com/vulnerabilities/51032	cve@mitre.org
30	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9780	cve@mitre.org
31	https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00731.html	cve@mitre.org
32	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532689	af854a3a-2127-422b-91ae-364da2661108
33	http://bugs.gentoo.org/show_bug.cgi?id=273213	af854a3a-2127-422b-91ae-364da2661108
34	http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master	af854a3a-2127-422b-91ae-364da2661108
35	http://groups.google.com/group/rubyonrails-security/msg/fad60751e2b9b4f6?dmode=source	af854a3a-2127-422b-91ae-364da2661108
36	http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html	af854a3a-2127-422b-91ae-364da2661108
37	http://mail-index.netbsd.org/pkgsrc-changes/2009/06/10/msg024708.html	af854a3a-2127-422b-91ae-364da2661108
38	http://osvdb.org/55031	af854a3a-2127-422b-91ae-364da2661108
39	http://redmine.ruby-lang.org/issues/show/794	af854a3a-2127-422b-91ae-364da2661108
40	http://secunia.com/advisories/35399	af854a3a-2127-422b-91ae-364da2661108
41	http://secunia.com/advisories/35527	af854a3a-2127-422b-91ae-364da2661108
42	http://secunia.com/advisories/35593	af854a3a-2127-422b-91ae-364da2661108
43	http://secunia.com/advisories/35699	af854a3a-2127-422b-91ae-364da2661108
44	http://secunia.com/advisories/35937	af854a3a-2127-422b-91ae-364da2661108
45	http://secunia.com/advisories/37705	af854a3a-2127-422b-91ae-364da2661108
46	http://security.gentoo.org/glsa/glsa-200906-02.xml	af854a3a-2127-422b-91ae-364da2661108
47	http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.430805	af854a3a-2127-422b-91ae-364da2661108
48	http://support.apple.com/kb/HT4077	af854a3a-2127-422b-91ae-364da2661108
49	http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby/	af854a3a-2127-422b-91ae-364da2661108
50	http://www.mandriva.com/security/advisories?name=MDVSA-2009:160	af854a3a-2127-422b-91ae-364da2661108
51	http://www.redhat.com/support/errata/RHSA-2009-1140.html	af854a3a-2127-422b-91ae-364da2661108
52	http://www.ruby-forum.com/topic/189071	af854a3a-2127-422b-91ae-364da2661108
53	http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/	af854a3a-2127-422b-91ae-364da2661108
54	http://www.securityfocus.com/bid/35278	af854a3a-2127-422b-91ae-364da2661108
55	http://www.securitytracker.com/id?1022371	af854a3a-2127-422b-91ae-364da2661108
56	http://www.ubuntu.com/usn/USN-805-1	af854a3a-2127-422b-91ae-364da2661108
57	http://www.vupen.com/english/advisories/2009/1563	af854a3a-2127-422b-91ae-364da2661108
58	https://bugs.launchpad.net/bugs/385436	af854a3a-2127-422b-91ae-364da2661108
59	https://bugs.launchpad.net/bugs/cve/2009-1904	af854a3a-2127-422b-91ae-364da2661108
60	https://exchange.xforce.ibmcloud.com/vulnerabilities/51032	af854a3a-2127-422b-91ae-364da2661108
61	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9780	af854a3a-2127-422b-91ae-364da2661108
62	https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00731.html	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-189	数値処理の問題	https://cwe.mitre.org/data/definitions/189.html