Advisories for Gem/Lz4-Ruby package

2014

Remote code execution

The package lz4-ruby is vulnerable to an integer overflow attack. When certain payloads are processed, a pointer to an output buffer can be set to an address outside the output buffer. Since the attacker can specify exact offsets in memory, it is very easy to create a reliable Remote Code Execution exploit. 32bit variants of the package are critically affected. 64bit variants are deemed infeasible to exploit.