{"id":"UBUNTU-CVE-2013-4164","details":"Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse.","modified":"2026-04-22T09:23:39.476884Z","published":"2013-11-22T00:00:00Z","related":["USN-2035-1"],"upstream":["CVE-2013-4164"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2013-4164"},{"type":"REPORT","url":"https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/"},{"type":"REPORT","url":"https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-2035-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2013-4164"}],"affected":[{"package":{"name":"ruby1.9.1","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/ruby1.9.1@1.9.3.448-1ubuntu2?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.9.3.448-1ubuntu2"}]}],"versions":["1.9.3.194-8.1ubuntu2","1.9.3.448-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.9.3.448-1ubuntu2","binary_name":"libruby1.9.1"},{"binary_version":"1.9.3.448-1ubuntu2","binary_name":"libtcltk-ruby1.9.1"},{"binary_version":"1.9.3.448-1ubuntu2","binary_name":"ri1.9.1"},{"binary_version":"1.9.3.448-1ubuntu2","binary_name":"ruby1.9.1"},{"binary_version":"1.9.3.448-1ubuntu2","binary_name":"ruby1.9.1-examples"},{"binary_version":"1.9.3.448-1ubuntu2","binary_name":"ruby1.9.1-full"},{"binary_version":"1.9.3.448-1ubuntu2","binary_name":"ruby1.9.3"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2013/UBUNTU-CVE-2013-4164.json"}},{"package":{"name":"ruby2.0","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/ruby2.0@2.0.0.343-1ubuntu1?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.0.343-1ubuntu1"}]}],"versions":["2.0.0.299-2","2.0.0.343-1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.0.0.343-1ubuntu1","binary_name":"libruby2.0"},{"binary_version":"2.0.0.343-1ubuntu1","binary_name":"ruby2.0"},{"binary_version":"2.0.0.343-1ubuntu1","binary_name":"ruby2.0-tcltk"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2013/UBUNTU-CVE-2013-4164.json"}}],"schema_version":"1.7.5","severity":[{"type":"Ubuntu","score":"medium"}]}