mruby: CVE-2017-9527: heap-based use-after-free

Related Vulnerabilities: CVE-2017-9527  

Debian Bug report logs - #865778
mruby: CVE-2017-9527: heap-based use-after-free

version graph

Reported by: Salvatore Bonaccorso <>

Date: Sat, 24 Jun 2017 18:42:07 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version mruby/1.2.0+20161228+git30d5424a-1

Fixed in version mruby/1.2.0+20170601+git51e0e690-1

Forwarded to

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to,,,,,, Nobuhiro Iwamatsu <>:
Bug#865778; Package src:mruby. (Sat, 24 Jun 2017 18:42:10 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <>:
New Bug report received and forwarded. Copy sent to,,,,, Nobuhiro Iwamatsu <>. (Sat, 24 Jun 2017 18:42:10 GMT) (full text, mbox, link).

Message #5 received at (full text, mbox, reply):

From: Salvatore Bonaccorso <>
To: Debian Bug Tracking System <>
Subject: mruby: CVE-2017-9527: heap-based use-after-free
Date: Sat, 24 Jun 2017 20:41:19 +0200
Source: mruby
Version: 1.2.0+20161228+git30d5424a-1
Severity: important
Tags: upstream patch security
Control: fixed -1 1.2.0+20170601+git51e0e690-1


the following vulnerability was published for mruby.

| The mark_context_stack function in gc.c in mruby through 1.2.0 allows
| attackers to cause a denial of service (heap-based use-after-free and
| application crash) or possibly have unspecified other impact via a
| crafted .rb file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:


Please adjust the affected versions in the BTS as needed.


Marked as fixed in versions mruby/1.2.0+20170601+git51e0e690-1. Request was from Salvatore Bonaccorso <> to (Sat, 24 Jun 2017 18:42:10 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from to (Thu, 29 Jun 2017 17:33:21 GMT) (full text, mbox, link).

Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <> to (Sun, 05 Nov 2017 11:18:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Wed Jun 19 16:30:29 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.