JRuby

Ruby BigDecimal vulnerability seems to affect JRuby as well

Details

  • Number of attachments :
    0

Description

Ruby announced a security vulnerability in BigDecimal. See http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/ for details.

JRuby seems to be affected as well. It doesn't crash, but appears to be stuck in an infinite loop. See the following output: http://gist.github.com/126922

Activity

Hide
Charles Oliver Nutter added a comment -

I have a fix for the to_f behavior which just defaults to +-Infinity or zero if the exponent is outside the representable float exponents. There's still an issue with to_i running forever, but matz has not decided how to handle it yet.

Show
Charles Oliver Nutter added a comment - I have a fix for the to_f behavior which just defaults to +-Infinity or zero if the exponent is outside the representable float exponents. There's still an issue with to_i running forever, but matz has not decided how to handle it yet.
Hide
Charles Oliver Nutter added a comment -

Fixed in a8ae0da.

Show
Charles Oliver Nutter added a comment - Fixed in a8ae0da.

People

Vote (1)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved: