==== reproduction_steps.sh start 2026-07-02T17:21:03Z ==== [*] Installing Ruby + build tools + rake-compiler Successfully installed rake-compiler-1.3.1 1 gem installed [*] ruby=ruby 3.3.8 (2025-04-09 revision b200bad6cd) [x86_64-linux-gnu] rake=rake, version 13.3.1 [*] Reusing existing repo at /data/pruva/project-cache/dc167dac-a6d2-43f6-837d-84c9d571596f/repo [*] Checking out VULNERABLE commit 495cc38fc5a02681da2175960d4a667fae48f3c9 [*] VULNERABLE resolved HEAD=495cc38fc5a02681da2175960d4a667fae48f3c9 [*] Building VULNERABLE C extension compiling ../../../../ext/oj/odd.c linking shared-object oj/oj.so /usr/bin/install -c -m 0755 oj.so ../../../../lib/oj cp tmp/x86_64-linux-gnu/oj/3.3.8/oj.so tmp/x86_64-linux-gnu/stage/lib/oj/oj.so [*] VULNERABLE build OK [*] Verifying vulnerable form_attr uses buf (not b): 72: id = rb_intern3(buf, len + 1, oj_utf8_encoding); 85: return (VALUE)rb_intern3(buf, len + 1, oj_utf8_encoding); [vuln run 1] encoding_error [vuln run 2] encoding_error [vuln run 3] encoding_error [vuln run 4] encoding_error [vuln run 5] encoding_error [vuln run 6] encoding_error SUMMARY_vuln_leak_count=6 SUMMARY_vuln_encoding_error_count=6 SUMMARY_vuln_correct_count=0 [*] VULNERABLE: leak_runs=6 encoding_errors=6 correct_runs=0 [*] Vulnerable EncodingError message lengths (per-run variation => uninitialized memory): 1414 1406 1371 1388 1294 1318 [*] Checking out FIXED commit bbde91a679728f94c4492ebc3683f4fa3309049f [*] FIXED resolved HEAD=bbde91a679728f94c4492ebc3683f4fa3309049f [*] Building FIXED C extension /home/vscode/.local/share/gem/ruby/3.3.0/gems/rake-compiler-1.3.1/lib/rake/extensiontask.rb:194:in `block in define_compile_tasks' /usr/share/rubygems-integration/all/gems/rake-13.3.1/exe/rake:27:in `' Tasks: TOP => compile => compile:x86_64-linux-gnu => compile:oj:x86_64-linux-gnu => copy:oj:x86_64-linux-gnu:3.3.8 => tmp/x86_64-linux-gnu/oj/3.3.8/oj.so (See full trace by running task with --trace) ==== reproduction_steps.sh start 2026-07-02T17:23:38Z ==== [*] Installing Ruby + build tools [*] ruby=ruby 3.3.8 (2025-04-09 revision b200bad6cd) [x86_64-linux-gnu] [*] Reusing existing repo at /data/pruva/project-cache/dc167dac-a6d2-43f6-837d-84c9d571596f/repo [*] Checking out VULNERABLE commit 495cc38fc5a02681da2175960d4a667fae48f3c9 [*] VULNERABLE resolved HEAD=495cc38fc5a02681da2175960d4a667fae48f3c9 Removing ext/oj/Makefile Removing ext/oj/cache.o Removing ext/oj/cache8.o Removing ext/oj/circarray.o Removing ext/oj/code.o Removing ext/oj/compat.o Removing ext/oj/custom.o Removing ext/oj/debug.o Removing ext/oj/dump.o Removing ext/oj/dump_compat.o Removing ext/oj/dump_leaf.o Removing ext/oj/dump_object.o Removing ext/oj/dump_strict.o Removing ext/oj/err.o Removing ext/oj/fast.o Removing ext/oj/intern.o Removing ext/oj/mem.o Removing ext/oj/mimic_json.o Removing ext/oj/object.o Removing ext/oj/odd.o Removing ext/oj/oj.o Removing ext/oj/oj.so Removing ext/oj/parse.o Removing ext/oj/parser.o Removing ext/oj/rails.o Removing ext/oj/reader.o Removing ext/oj/resolve.o Removing ext/oj/rxclass.o Removing ext/oj/safe.o Removing ext/oj/saj.o Removing ext/oj/saj2.o Removing ext/oj/scp.o Removing ext/oj/sparse.o Removing ext/oj/stream_writer.o Removing ext/oj/strict.o Removing ext/oj/string_writer.o Removing ext/oj/trace.o Removing ext/oj/usual.o Removing ext/oj/util.o Removing ext/oj/val_stack.o Removing ext/oj/validate.o Removing ext/oj/wab.o Removing lib/oj/oj.so [*] Building VULNERABLE C extension (manual extconf + make) compiling val_stack.c compiling validate.c compiling wab.c linking shared-object oj/oj.so [*] VULNERABLE build OK (HEAD=495cc38) [*] Verifying vulnerable form_attr uses buf (not b): 72: id = rb_intern3(buf, len + 1, oj_utf8_encoding); 85: return (VALUE)rb_intern3(buf, len + 1, oj_utf8_encoding); [vuln run 1] encoding_error [vuln run 2] encoding_error [vuln run 3] encoding_error [vuln run 4] encoding_error [vuln run 5] encoding_error [vuln run 6] encoding_error SUMMARY_vuln_leak_count=6 SUMMARY_vuln_encoding_error_count=6 SUMMARY_vuln_correct_count=0 [*] VULNERABLE: leak_runs=6 encoding_errors=6 correct_runs=0 [*] Vulnerable EncodingError message lengths (per-run variation => uninitialized memory): 1382 1356 1467 1246 1421 1287 [*] Sample leaked bytes from vulnerable run 1 (hexdump of EncodingError message): (no file) [*] Checking out FIXED commit bbde91a679728f94c4492ebc3683f4fa3309049f [*] FIXED resolved HEAD=bbde91a679728f94c4492ebc3683f4fa3309049f Removing ext/oj/Makefile Removing ext/oj/cache.o Removing ext/oj/cache8.o Removing ext/oj/circarray.o Removing ext/oj/code.o Removing ext/oj/compat.o Removing ext/oj/custom.o Removing ext/oj/debug.o Removing ext/oj/dump.o Removing ext/oj/dump_compat.o Removing ext/oj/dump_leaf.o Removing ext/oj/dump_object.o Removing ext/oj/dump_strict.o Removing ext/oj/err.o Removing ext/oj/fast.o Removing ext/oj/intern.o Removing ext/oj/mem.o Removing ext/oj/mimic_json.o Removing ext/oj/object.o Removing ext/oj/odd.o Removing ext/oj/oj.o Removing ext/oj/oj.so Removing ext/oj/parse.o Removing ext/oj/parser.o Removing ext/oj/rails.o Removing ext/oj/reader.o Removing ext/oj/resolve.o Removing ext/oj/rxclass.o Removing ext/oj/safe.o Removing ext/oj/saj.o Removing ext/oj/saj2.o Removing ext/oj/scp.o Removing ext/oj/sparse.o Removing ext/oj/stream_writer.o Removing ext/oj/strict.o Removing ext/oj/string_writer.o Removing ext/oj/trace.o Removing ext/oj/usual.o Removing ext/oj/util.o Removing ext/oj/val_stack.o Removing ext/oj/validate.o Removing ext/oj/wab.o Removing lib/oj/oj.so [*] Building FIXED C extension (manual extconf + make) compiling val_stack.c compiling validate.c compiling wab.c linking shared-object oj/oj.so [*] FIXED build OK (HEAD=bbde91a) [*] Verifying fixed form_attr uses b (not buf): 72: id = rb_intern3(b, len + 1, oj_utf8_encoding); [!] WARNING: fixed version still has rb_intern3(buf,...)! [fixed run 1] parsed [fixed run 2] parsed [fixed run 3] parsed [fixed run 4] parsed [fixed run 5] parsed [fixed run 6] parsed SUMMARY_fixed_leak_count=0 SUMMARY_fixed_encoding_error_count=0 SUMMARY_fixed_correct_count=6 [*] FIXED: leak_runs=0 encoding_errors=0 correct_runs=6 ============================================== VERDICT vulnerable_leak_detected = true per_run_variation = true fixed_clean = true CONFIRMED = true ============================================== [*] runtime_manifest.json written { "entrypoint_kind": "library_api", "entrypoint_detail": "Oj.load(json, mode: :object) with ^o:Oj::Bag and 300-byte key => form_attr() in ext/oj/intern.c", "service_started": false, "healthcheck_passed": false, "target_path_reached": true, "runtime_stack": [ "ruby", "oj-c-extension" ], "proof_artifacts": [ "logs/reproduction_steps.log", "logs/vuln_outcomes.txt", "logs/fixed_outcomes.txt", "logs/vuln_msg_lengths.txt", "repro/probe.rb" ], "confirmed": true, "notes": "Vulnerable Oj.load leaks uninitialized stack memory via EncodingError message (per-run length variation proves uninitialized source); fixed version produces correct deterministic @AAA... attribute." } [*] Proof-carry artifacts copied to project cache ==== reproduction_steps.sh end 2026-07-02T17:24:03Z ==== [+] CVE-2026-54500 CONFIRMED ==== reproduction_steps.sh start 2026-07-02T17:25:52Z ==== [*] Installing Ruby + build tools [*] ruby=ruby 3.3.8 (2025-04-09 revision b200bad6cd) [x86_64-linux-gnu] [*] Reusing existing repo at /data/pruva/project-cache/dc167dac-a6d2-43f6-837d-84c9d571596f/repo [*] Checking out VULNERABLE commit 495cc38fc5a02681da2175960d4a667fae48f3c9 [*] VULNERABLE resolved HEAD=495cc38fc5a02681da2175960d4a667fae48f3c9 Removing ext/oj/Makefile Removing ext/oj/cache.o Removing ext/oj/cache8.o Removing ext/oj/circarray.o Removing ext/oj/code.o Removing ext/oj/compat.o Removing ext/oj/custom.o Removing ext/oj/debug.o Removing ext/oj/dump.o Removing ext/oj/dump_compat.o Removing ext/oj/dump_leaf.o Removing ext/oj/dump_object.o Removing ext/oj/dump_strict.o Removing ext/oj/err.o Removing ext/oj/fast.o Removing ext/oj/intern.o Removing ext/oj/mem.o Removing ext/oj/mimic_json.o Removing ext/oj/object.o Removing ext/oj/odd.o Removing ext/oj/oj.o Removing ext/oj/oj.so Removing ext/oj/parse.o Removing ext/oj/parser.o Removing ext/oj/rails.o Removing ext/oj/reader.o Removing ext/oj/resolve.o Removing ext/oj/rxclass.o Removing ext/oj/safe.o Removing ext/oj/saj.o Removing ext/oj/saj2.o Removing ext/oj/scp.o Removing ext/oj/sparse.o Removing ext/oj/stream_writer.o Removing ext/oj/strict.o Removing ext/oj/string_writer.o Removing ext/oj/trace.o Removing ext/oj/usual.o Removing ext/oj/util.o Removing ext/oj/val_stack.o Removing ext/oj/validate.o Removing ext/oj/wab.o Removing lib/oj/oj.so [*] Building VULNERABLE C extension (manual extconf + make) compiling val_stack.c compiling validate.c compiling wab.c linking shared-object oj/oj.so [*] VULNERABLE build OK (HEAD=495cc38) [*] Verifying vulnerable form_attr uses buf (not b): 72: id = rb_intern3(buf, len + 1, oj_utf8_encoding); 85: return (VALUE)rb_intern3(buf, len + 1, oj_utf8_encoding); [vuln run 1] encoding_error [vuln run 2] encoding_error [vuln run 3] encoding_error [vuln run 4] encoding_error [vuln run 5] encoding_error [vuln run 6] encoding_error SUMMARY_vuln_leak_count=6 SUMMARY_vuln_encoding_error_count=6 SUMMARY_vuln_correct_count=0 [*] VULNERABLE: leak_runs=6 encoding_errors=6 correct_runs=0 [*] Vulnerable EncodingError message lengths (per-run variation => uninitialized memory): 1364 1282 1488 1388 1446 1427 [*] Sample leaked bytes from vulnerable run 1 (hexdump of EncodingError message): (no file) [*] Checking out FIXED commit bbde91a679728f94c4492ebc3683f4fa3309049f [*] FIXED resolved HEAD=bbde91a679728f94c4492ebc3683f4fa3309049f Removing ext/oj/Makefile Removing ext/oj/cache.o Removing ext/oj/cache8.o Removing ext/oj/circarray.o Removing ext/oj/code.o Removing ext/oj/compat.o Removing ext/oj/custom.o Removing ext/oj/debug.o Removing ext/oj/dump.o Removing ext/oj/dump_compat.o Removing ext/oj/dump_leaf.o Removing ext/oj/dump_object.o Removing ext/oj/dump_strict.o Removing ext/oj/err.o Removing ext/oj/fast.o Removing ext/oj/intern.o Removing ext/oj/mem.o Removing ext/oj/mimic_json.o Removing ext/oj/object.o Removing ext/oj/odd.o Removing ext/oj/oj.o Removing ext/oj/oj.so Removing ext/oj/parse.o Removing ext/oj/parser.o Removing ext/oj/rails.o Removing ext/oj/reader.o Removing ext/oj/resolve.o Removing ext/oj/rxclass.o Removing ext/oj/safe.o Removing ext/oj/saj.o Removing ext/oj/saj2.o Removing ext/oj/scp.o Removing ext/oj/sparse.o Removing ext/oj/stream_writer.o Removing ext/oj/strict.o Removing ext/oj/string_writer.o Removing ext/oj/trace.o Removing ext/oj/usual.o Removing ext/oj/util.o Removing ext/oj/val_stack.o Removing ext/oj/validate.o Removing ext/oj/wab.o Removing lib/oj/oj.so [*] Building FIXED C extension (manual extconf + make) compiling val_stack.c compiling validate.c compiling wab.c linking shared-object oj/oj.so [*] FIXED build OK (HEAD=bbde91a) [*] Verifying fixed form_attr uses b (not buf): 72: id = rb_intern3(b, len + 1, oj_utf8_encoding); [fixed run 1] parsed [fixed run 2] parsed [fixed run 3] parsed [fixed run 4] parsed [fixed run 5] parsed [fixed run 6] parsed SUMMARY_fixed_leak_count=0 SUMMARY_fixed_encoding_error_count=0 SUMMARY_fixed_correct_count=6 [*] FIXED: leak_runs=0 encoding_errors=0 correct_runs=6 ============================================== VERDICT vulnerable_leak_detected = true per_run_variation = true fixed_clean = true CONFIRMED = true ============================================== [*] runtime_manifest.json written { "entrypoint_kind": "library_api", "entrypoint_detail": "Oj.load(json, mode: :object) with ^o:Oj::Bag and 300-byte key => form_attr() in ext/oj/intern.c", "service_started": false, "healthcheck_passed": false, "target_path_reached": true, "runtime_stack": [ "ruby", "oj-c-extension" ], "proof_artifacts": [ "logs/reproduction_steps.log", "logs/vuln_outcomes.txt", "logs/fixed_outcomes.txt", "logs/vuln_msg_lengths.txt", "repro/probe.rb" ], "confirmed": true, "notes": "Vulnerable Oj.load leaks uninitialized stack memory via EncodingError message (per-run length variation proves uninitialized source); fixed version produces correct deterministic @AAA... attribute." } [*] Proof-carry artifacts copied to project cache ==== reproduction_steps.sh end 2026-07-02T17:26:19Z ==== [+] CVE-2026-54500 CONFIRMED ==== reproduction_steps.sh start 2026-07-02T17:26:51Z ==== [*] Installing Ruby + build tools [*] ruby=ruby 3.3.8 (2025-04-09 revision b200bad6cd) [x86_64-linux-gnu] [*] Reusing existing repo at /data/pruva/project-cache/dc167dac-a6d2-43f6-837d-84c9d571596f/repo [*] Checking out VULNERABLE commit 495cc38fc5a02681da2175960d4a667fae48f3c9 [*] VULNERABLE resolved HEAD=495cc38fc5a02681da2175960d4a667fae48f3c9 Removing ext/oj/Makefile Removing ext/oj/cache.o Removing ext/oj/cache8.o Removing ext/oj/circarray.o Removing ext/oj/code.o Removing ext/oj/compat.o Removing ext/oj/custom.o Removing ext/oj/debug.o Removing ext/oj/dump.o Removing ext/oj/dump_compat.o Removing ext/oj/dump_leaf.o Removing ext/oj/dump_object.o Removing ext/oj/dump_strict.o Removing ext/oj/err.o Removing ext/oj/fast.o Removing ext/oj/intern.o Removing ext/oj/mem.o Removing ext/oj/mimic_json.o Removing ext/oj/object.o Removing ext/oj/odd.o Removing ext/oj/oj.o Removing ext/oj/oj.so Removing ext/oj/parse.o Removing ext/oj/parser.o Removing ext/oj/rails.o Removing ext/oj/reader.o Removing ext/oj/resolve.o Removing ext/oj/rxclass.o Removing ext/oj/safe.o Removing ext/oj/saj.o Removing ext/oj/saj2.o Removing ext/oj/scp.o Removing ext/oj/sparse.o Removing ext/oj/stream_writer.o Removing ext/oj/strict.o Removing ext/oj/string_writer.o Removing ext/oj/trace.o Removing ext/oj/usual.o Removing ext/oj/util.o Removing ext/oj/val_stack.o Removing ext/oj/validate.o Removing ext/oj/wab.o Removing lib/oj/oj.so [*] Building VULNERABLE C extension (manual extconf + make) compiling val_stack.c compiling validate.c compiling wab.c linking shared-object oj/oj.so [*] VULNERABLE build OK (HEAD=495cc38) [*] Verifying vulnerable form_attr uses buf (not b): 72: id = rb_intern3(buf, len + 1, oj_utf8_encoding); 85: return (VALUE)rb_intern3(buf, len + 1, oj_utf8_encoding); [vuln run 1] encoding_error [vuln run 2] encoding_error [vuln run 3] encoding_error [vuln run 4] encoding_error [vuln run 5] encoding_error [vuln run 6] encoding_error SUMMARY_vuln_leak_count=6 SUMMARY_vuln_encoding_error_count=6 SUMMARY_vuln_correct_count=0 [*] VULNERABLE: leak_runs=6 encoding_errors=6 correct_runs=0 [*] Vulnerable EncodingError message lengths (per-run variation => uninitialized memory): 1348 1349 1350 1276 1432 1368 [*] Sample leaked bytes from vulnerable run 1 (hexdump of EncodingError message): (no file) [*] Checking out FIXED commit bbde91a679728f94c4492ebc3683f4fa3309049f [*] FIXED resolved HEAD=bbde91a679728f94c4492ebc3683f4fa3309049f Removing ext/oj/Makefile Removing ext/oj/cache.o Removing ext/oj/cache8.o Removing ext/oj/circarray.o Removing ext/oj/code.o Removing ext/oj/compat.o Removing ext/oj/custom.o Removing ext/oj/debug.o Removing ext/oj/dump.o Removing ext/oj/dump_compat.o Removing ext/oj/dump_leaf.o Removing ext/oj/dump_object.o Removing ext/oj/dump_strict.o Removing ext/oj/err.o Removing ext/oj/fast.o Removing ext/oj/intern.o Removing ext/oj/mem.o Removing ext/oj/mimic_json.o Removing ext/oj/object.o Removing ext/oj/odd.o Removing ext/oj/oj.o Removing ext/oj/oj.so Removing ext/oj/parse.o Removing ext/oj/parser.o Removing ext/oj/rails.o Removing ext/oj/reader.o Removing ext/oj/resolve.o Removing ext/oj/rxclass.o Removing ext/oj/safe.o Removing ext/oj/saj.o Removing ext/oj/saj2.o Removing ext/oj/scp.o Removing ext/oj/sparse.o Removing ext/oj/stream_writer.o Removing ext/oj/strict.o Removing ext/oj/string_writer.o Removing ext/oj/trace.o Removing ext/oj/usual.o Removing ext/oj/util.o Removing ext/oj/val_stack.o Removing ext/oj/validate.o Removing ext/oj/wab.o Removing lib/oj/oj.so [*] Building FIXED C extension (manual extconf + make) compiling val_stack.c compiling validate.c compiling wab.c linking shared-object oj/oj.so [*] FIXED build OK (HEAD=bbde91a) [*] Verifying fixed form_attr uses b (not buf): 72: id = rb_intern3(b, len + 1, oj_utf8_encoding); [fixed run 1] parsed [fixed run 2] parsed [fixed run 3] parsed [fixed run 4] parsed [fixed run 5] parsed [fixed run 6] parsed SUMMARY_fixed_leak_count=0 SUMMARY_fixed_encoding_error_count=0 SUMMARY_fixed_correct_count=6 [*] FIXED: leak_runs=0 encoding_errors=0 correct_runs=6 ============================================== VERDICT vulnerable_leak_detected = true per_run_variation = true fixed_clean = true CONFIRMED = true ============================================== [*] runtime_manifest.json written { "entrypoint_kind": "library_api", "entrypoint_detail": "Oj.load(json, mode: :object) with ^o:Oj::Bag and 300-byte key => form_attr() in ext/oj/intern.c", "service_started": false, "healthcheck_passed": false, "target_path_reached": true, "runtime_stack": [ "ruby", "oj-c-extension" ], "proof_artifacts": [ "logs/reproduction_steps.log", "logs/vuln_outcomes.txt", "logs/fixed_outcomes.txt", "logs/vuln_msg_lengths.txt", "repro/probe.rb" ], "confirmed": true, "notes": "Vulnerable Oj.load leaks uninitialized stack memory via EncodingError message (per-run length variation proves uninitialized source); fixed version produces correct deterministic @AAA... attribute." } [*] Proof-carry artifacts copied to project cache ==== reproduction_steps.sh end 2026-07-02T17:27:15Z ==== [+] CVE-2026-54500 CONFIRMED