On Wed, Jun 10, 2009 at 12:14 AM, Kirk Haines<wyhaines / gmail.com> wrote:
> We have released Ruby 1.8.6-pl369. This is primarily a security release.
>
> A flaw was found with BigDecimal that could be exploited to cause the
> interpreter to segfault because it mishandled certain large input
> values. As ActiveRecord uses BigDecimal, this issue could potentially
> affect many Rails installations, though this is not a Rails specific
> issue. The result is that an attacker could potentially deliver a
> denial of service attack to many applications. This vulnerability has
> been assigned the CVE name CVE-2009-1904.

Hmm...so here's my exploration in JRuby:

With a really large BigDecimal:

* to_f runs forever
* to_i runs forever

The latter appears to affect 1.9.1 as well...

 ruby19 -rbigdecimal -e "p BigDecimal.new('5E6999999').to_i"
<runs forever>

I have not tested the patched 1.8.6/1.8.7 versions to see if to_i has
this issue.

I'll have fixes for both JRuby issues on master and jruby-1_3 branches shortly.

- Charlie