Ruby BigDecimal vulnerability seems to affect JRuby as well

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: JRuby 1.3
Fix Version/s: JRuby 1.3.1, JRuby 1.4
Component/s: Core Classes/Modules
Labels:
None

Number of attachments :
0

Description

Ruby announced a security vulnerability in BigDecimal. See http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/ for details.

JRuby seems to be affected as well. It doesn't crash, but appears to be stuck in an infinite loop. See the following output: http://gist.github.com/126922

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Charles Oliver Nutter added a comment - 10/Jun/09 2:22 PM

I have a fix for the to_f behavior which just defaults to +-Infinity or zero if the exponent is outside the representable float exponents. There's still an issue with to_i running forever, but matz has not decided how to handle it yet.

Show

Charles Oliver Nutter added a comment - 10/Jun/09 2:22 PM I have a fix for the to_f behavior which just defaults to +-Infinity or zero if the exponent is outside the representable float exponents. There's still an issue with to_i running forever, but matz has not decided how to handle it yet.

Hide

Permalink

Charles Oliver Nutter added a comment - 10/Jun/09 2:43 PM

Fixed in a8ae0da.

Show

Charles Oliver Nutter added a comment - 10/Jun/09 2:43 PM Fixed in a8ae0da.

People

Assignee:

Charles Oliver Nutter

Reporter:

Nick Sieger

Vote (1)

Watch (3)

Dates

Created:

09/Jun/09 7:18 PM

Updated:

27/Oct/09 1:46 PM

Resolved:

10/Jun/09 2:43 PM