Issue Details (XML | Word | Printable)

Key: JRUBY-3744
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Critical Critical
Assignee: Charles Oliver Nutter
Reporter: Nick Sieger
Votes: 1
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
JRuby

Ruby BigDecimal vulnerability seems to affect JRuby as well

Created: 09/Jun/09 07:18 PM   Updated: 27/Oct/09 01:46 PM   Resolved: 10/Jun/09 02:43 PM
Return to search
Component/s: Core Classes/Modules
Affects Version/s: JRuby 1.3
Fix Version/s: JRuby 1.3.1, JRuby 1.4

Time Tracking:
Not Specified


 Description  « Hide

Ruby announced a security vulnerability in BigDecimal. See http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/ for details.

JRuby seems to be affected as well. It doesn't crash, but appears to be stuck in an infinite loop. See the following output: http://gist.github.com/126922

Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Charles Oliver Nutter added a comment - 10/Jun/09 02:22 PM

I have a fix for the to_f behavior which just defaults to +-Infinity or zero if the exponent is outside the representable float exponents. There's still an issue with to_i running forever, but matz has not decided how to handle it yet.


[ Permalink | « Hide ]
Charles Oliver Nutter added a comment - 10/Jun/09 02:43 PM

Fixed in a8ae0da.


Charles Oliver Nutter made changes - 10/Jun/09 02:43 PM
Field Original Value New Value
Assignee Charles Oliver Nutter [ headius ]
Resolution Fixed [ 1 ]
Status Open [ 1 ] Resolved [ 5 ]
Charles Oliver Nutter made changes - 10/Jun/09 02:56 PM
Fix Version/s JRuby 1.3.1 [ 15378 ]
Charles Oliver Nutter made changes - 27/Oct/09 01:46 PM
Status Resolved [ 5 ] Closed [ 6 ]
Atlassian JIRA (v4.0#466) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.