Skip to content

Commit 702dfe1

Browse files
simiRubySec CI
authored andcommitted
Updated advisory posts against rubysec/ruby-advisory-db@bc1874e
1 parent c9205c0 commit 702dfe1

3 files changed

Lines changed: 148 additions & 0 deletions

File tree

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54500 (oj): Oj - intern.c form_attr (uninitialized stack read)'
4+
comments: false
5+
categories:
6+
- oj
7+
advisory:
8+
gem: oj
9+
cve: 2026-54500
10+
ghsa: fm7p-mprw-wjm9
11+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54500
12+
title: Oj - intern.c form_attr (uninitialized stack read)
13+
date: 2026-06-19
14+
description: |-
15+
### Summary
16+
17+
`Oj.load` in `:object` mode reads uninitialized stack memory (and,
18+
for long keys, reads out of bounds) when parsing a JSON object whose
19+
key is 254 bytes or longer. The interned bytes can surface to the
20+
caller, disclosing process stack memory.
21+
22+
### Impact
23+
24+
Information disclosure of process stack memory to a caller that parses
25+
untrusted JSON with `Oj.load(..., mode: :object)`. For keys >= 256
26+
bytes it is also an out-of-bounds read (CWE-125).
27+
28+
Severity is bounded by several preconditions: it requires `:object`
29+
mode (which is already discouraged for untrusted input), the leaked
30+
bytes are uncontrolled (the attacker cannot choose what is disclosed),
31+
and the data only reaches an attacker if the application surfaces the
32+
resulting Symbol or `EncodingError` back to them. Scored CVSS 5.3
33+
(Medium) on that basis.
34+
35+
### Patches
36+
37+
Fixed in **3.17.3**: `form_attr()` now passes `b` to `rb_intern3` (a
38+
one-character change mirroring the earlier `usual.c` fix). Verified on
39+
the fixed build: the same payload returns cleanly with no leak across
40+
repeated runs.
41+
42+
### Credit
43+
44+
Reported by Zac Wang (@7a6163).
45+
cvss_v3: 5.3
46+
patched_versions:
47+
- ">= 3.17.3"
48+
related:
49+
url:
50+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54500
51+
- https://rubygems.org/gems/oj/versions/3.17.3
52+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
53+
- https://github.com/ohler55/oj/pull/1015
54+
- https://github.com/ohler55/oj/security/advisories/GHSA-fm7p-mprw-wjm9
55+
- https://github.com/advisories/GHSA-fm7p-mprw-wjm9
56+
notes: "- CVE is reserved, but published so no cvss_v2 or cvss_v4 values.\n"
57+
---
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54502 (oj): Oj - Stack Buffer Overflow in Oj.dump via Large Indent'
4+
comments: false
5+
categories:
6+
- oj
7+
advisory:
8+
gem: oj
9+
cve: 2026-54502
10+
ghsa: 3v45-f3vh-wg7m
11+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54502
12+
title: Oj - Stack Buffer Overflow in Oj.dump via Large Indent
13+
date: 2026-06-19
14+
description: |-
15+
### Summary
16+
17+
`Oj.dump` is vulnerable to a stack-based buffer overflow when a large
18+
`:indent` value is provided by the developer. `fill_indent` in `dump.h`
19+
calls `memset(indent_str, ' ', (size_t)opts->indent)` without validating
20+
the size. When `opts->indent` is set to `INT_MAX` (2,147,483,647), the
21+
`(size_t)` cast preserves the large value and `memset` writes 2 GB into
22+
the stack-allocated `out` buffer (4,184 bytes), corrupting the stack
23+
and crashing the process.
24+
cvss_v4: 8.7
25+
patched_versions:
26+
- ">= 3.17.3"
27+
related:
28+
url:
29+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54502
30+
- https://rubygems.org/gems/oj/versions/3.17.3
31+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
32+
- https://github.com/ohler55/oj/pull/1015
33+
- https://github.com/ohler55/oj/security/advisories/GHSA-3v45-f3vh-wg7m
34+
- https://github.com/advisories/GHSA-3v45-f3vh-wg7m
35+
notes: "- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n"
36+
---
Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54592 (oj): Oj - Stack Buffer Overflow in Oj::Doc#each_child via
4+
Deeply Nested Input'
5+
comments: false
6+
categories:
7+
- oj
8+
advisory:
9+
gem: oj
10+
cve: 2026-54592
11+
ghsa: 3m6q-jj5j-38c9
12+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54592
13+
title: Oj - Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input
14+
date: 2026-06-19
15+
description: |-
16+
### Summary
17+
18+
`Oj::Doc#each_child`, when invoked recursively over a deeply nested JSON
19+
document, overflows a fixed-size stack buffer and aborts the process. This is a
20+
denial of service reachable from untrusted JSON.
21+
22+
### Impact
23+
24+
Reliable denial of service: any endpoint that calls
25+
`Oj::Doc.open(untrusted) { |d| d.each_child ... }` recursively can be
26+
crashed with a small deeply-nested payload. On builds with a stack
27+
protector (the default, `-fstack-protector-strong`) the canary aborts
28+
the process before the saved return address is used. The Step-1 heap
29+
OOB writes into `struct _doc` fields do occur, but are masked in
30+
practice because the Step-2 stack overflow crashes first; turning them
31+
into anything beyond a crash has not been demonstrated.
32+
33+
### Patches
34+
35+
Fixed in **3.17.3**: `doc_each_child` now bounds-checks before incrementing
36+
`doc->where` (raising `Oj::DepthError`) and restores `doc->where` after the
37+
loop, matching the existing `each_leaf` pattern. Verified on the fixed build:
38+
depth >= 101 raises a clean `Oj::DepthError` instead of aborting.
39+
40+
### Credit
41+
42+
Reported by Zac Wang (@7a6163).
43+
cvss_v3: 7.5
44+
patched_versions:
45+
- ">= 3.17.3"
46+
related:
47+
url:
48+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54592
49+
- https://rubygems.org/gems/oj/versions/3.17.3
50+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
51+
- https://github.com/ohler55/oj/pull/1015
52+
- https://github.com/ohler55/oj/security/advisories/GHSA-3m6q-jj5j-38c9
53+
- https://github.com/advisories/GHSA-3m6q-jj5j-38c9
54+
notes: "- CVE is reserved, but published so no cvss_v2 or cvss_v4 values.\n"
55+
---

0 commit comments

Comments
 (0)