GMS-2014-15: Remote code execution

July 10, 2014

The package lz4-ruby is vulnerable to an integer overflow attack. When certain payloads are processed, a pointer to an output buffer can be set to an address outside the output buffer. Since the attacker can specify exact offsets in memory, it is very easy to create a reliable Remote Code Execution exploit. 32bit variants of the package are critically affected. 64bit variants are deemed infeasible to exploit.

References

blog.securitymouse.com/2014/07/the-lz4-two-hour-challenge.html
github.com/komiya-atsushi/lz4-ruby/issues/9

Code Behaviors & Features

Detect and mitigate GMS-2014-15 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →