See on RubyGems

fugit 1.8.1

1 security vulnerability found in version 1.8.1

fugit parse and parse_nat stall on lengthy input

medium severity CVE-2024-43380
medium severity CVE-2024-43380
Patched versions: >= 1.11.1

Impact

The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight.

Fugit dependents that do not check (user) input length for plausability are impacted.

Patches

Problem was reported in #104 and the fix was released in fugit 1.11.1

Workarounds

By making sure that Fugit.parse(s), Fugit.do_parse(s), Fugit.parse_nat(s), Fugit.do_parse_nat(s), Fugit::Nat.parse(s), and Fugit::Nat.do_parse(s) are not fed strings too long. 1000 chars feels ok, while 10_000 chars makes it stall.

In fewer words, making sure those fugit methods are not fed unvetted input strings.

No officially reported memory leakage issues detected.

This gem version does not have any officially reported memory leaked issues.

No license issues detected.

This gem version has a license in the gemspec.

This gem version is available.

This gem version has not been yanked and is still available for usage.