High severity7.5NVD Advisory· Published Sep 19, 2017· Updated May 13, 2026
CVE-2017-14033
CVE-2017-14033
Description
The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opensslRubyGems | < 2.0.0 | 2.0.0 |
Patches
136bf7f403ebbasn1: fix possible segfault in OpenSSL::ASN1::Constructive#each
1 file changed · +6 −2
ext/openssl/ossl_asn1.c+6 −2 modified@@ -182,6 +182,7 @@ VALUE cASN1Sequence, cASN1Set; /* CONSTRUCTIVE */ static VALUE sym_IMPLICIT, sym_EXPLICIT; static VALUE sym_UNIVERSAL, sym_APPLICATION, sym_CONTEXT_SPECIFIC, sym_PRIVATE; static ID sivVALUE, sivTAG, sivTAG_CLASS, sivTAGGING, sivINFINITE_LENGTH, sivUNUSED_BITS; +static ID id_each; /* * Ruby to ASN1 converters @@ -696,7 +697,7 @@ static VALUE join_der(VALUE enumerable) { VALUE str = rb_str_new(0, 0); - rb_block_call(enumerable, rb_intern("each"), 0, 0, join_der_i, str); + rb_block_call(enumerable, id_each, 0, 0, join_der_i, str); return str; } @@ -1284,7 +1285,8 @@ ossl_asn1cons_to_der(VALUE self) static VALUE ossl_asn1cons_each(VALUE self) { - rb_ary_each(ossl_asn1_get_value(self)); + rb_funcall(ossl_asn1_get_value(self), id_each, 0); + return self; } @@ -1925,4 +1927,6 @@ do{\ rb_hash_aset(class_tag_map, cASN1UniversalString, INT2NUM(V_ASN1_UNIVERSALSTRING)); rb_hash_aset(class_tag_map, cASN1BMPString, INT2NUM(V_ASN1_BMPSTRING)); rb_global_variable(&class_tag_map); + + id_each = rb_intern_const("each"); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
22- www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/nvdPatchRelease NotesVendor Advisory
- www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/nvdPatchRelease NotesVendor Advisory
- www.securityfocus.com/bid/100868nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039363nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-v6rp-3r3v-hf4pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-14033ghsaADVISORY
- www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/nvdMitigationVendor Advisory
- access.redhat.com/errata/RHSA-2018:0378nvdWEB
- access.redhat.com/errata/RHSA-2018:0583nvdWEB
- access.redhat.com/errata/RHSA-2018:0585nvdWEB
- github.com/ruby/openssl/commit/36bf7f403ebb6cefcaa1e7af9d8ec99e6b4bc1edghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/openssl/CVE-2017-14033.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlnvdWEB
- security.gentoo.org/glsa/201710-18nvdWEB
- web.archive.org/web/20210509153849/http://www.securityfocus.com/bid/100868ghsaWEB
- web.archive.org/web/20210622181826/http://www.securitytracker.com/id/1042004ghsaWEB
- web.archive.org/web/20210724095519/http://www.securitytracker.com/id/1039363ghsaWEB
- www.debian.org/security/2017/dsa-4031nvdWEB
- www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033ghsaWEB
- www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-releasedghsaWEB
- www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-releasedghsaWEB
- www.securitytracker.com/id/1042004nvd
News mentions
0No linked articles in our index yet.