Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.
{ "vanir_signatures": [ { "id": "CVE-2017-14064-081830d4", "source": "https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "length": 412.0, "function_hash": "333850170000569990630816245825851334286" }, "target": { "file": "ext/json/ext/generator/generator.c", "function": "cState_array_nl_set" } }, { "id": "CVE-2017-14064-3bbe9110", "source": "https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "length": 436.0, "function_hash": "148811423845304250804089795861570238355" }, "target": { "file": "ext/json/ext/generator/generator.c", "function": "cState_indent_set" } }, { "id": "CVE-2017-14064-44119ad3", "source": "https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "length": 413.0, "function_hash": "235138498165329040769513923872404799455" }, "target": { "file": "ext/json/ext/generator/generator.c", "function": "cState_object_nl_set" } }, { "id": "CVE-2017-14064-49101875", "source": "https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "length": 434.0, "function_hash": "231212006610800307331410088410461672189" }, "target": { "file": "ext/json/ext/generator/generator.c", "function": "cState_space_set" } }, { "id": "CVE-2017-14064-6910d9a7", "source": "https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "120904374308355083734111949005929042523", "26452857847874449151212129149641036903" ] }, "target": { "file": "ext/json/ext/generator/generator.h" } }, { "id": "CVE-2017-14064-709f6fe5", "source": "https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "length": 207.0, "function_hash": "178352657454531393926190957860867963360" }, "target": { "file": "ext/json/ext/generator/generator.c", "function": "fstrndup" } }, { "id": "CVE-2017-14064-bb2df37f", "source": "https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "203126428726097578240407651447407768962", "193928348062049476056199914767292540998", "18992539843680518976943110175587805218", "318507856882490173243287007951430614995", "331377055305598866239756616680018855666", "178811035994741578769452089321787285767", "203432646838676032209194061565332159502", "79145566861867884141474191602216982759", "14118550392830535240411748288371500960", "141107907040637505627201232328272113840", "4488029395062862805420548455971309090", "216554920298105624124125028082587199942", "58217186119402190294095398429532077133", "154268555576477752669255655074285455849", "116938978129615895259416110858600871365", "26272765290950953135327040711027961691", "42657249236710796016958936661343165221", "187518194052195544513889556210237749823", "335178387273758271688706615039113585731", "59048560601979423467278544029286927301", "12602922004186724451618902428544806050", "211868815879659581706041366009915183192", "173310494673434350338619270441623270086", "275663103391244767528307132844466520875" ] }, "target": { "file": "ext/json/ext/generator/generator.c" } }, { "id": "CVE-2017-14064-ffa02b53", "source": "https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "length": 448.0, "function_hash": "221211380026251280885482296555216767330" }, "target": { "file": "ext/json/ext/generator/generator.c", "function": "cState_space_before_set" } } ] }