Ruby Array Pack Bleed – Impacts Ruby 1.6.7 to 4.0.0
4 months ago
- #Vulnerability
- #Ruby
- #Security
- Ruby 4.0.0 released with a memory disclosure vulnerability in Array#pack method.
- Vulnerability allows reading memory out of bounds via negative repeat counts in pack directives.
- Affects Ruby versions from 1.6.7 to 4.0.0, with a fix tracked in PR #15763.
- The 'X' directive in pack method can be exploited to grow strings by negative amounts, leading to memory leaks.
- Guard condition in rb_str_set_len limits memory leakage but can be bypassed with specific string lengths.
- Demonstration shows how to leak memory by manipulating string lengths and repeat counts.