Bug 1009720 (CVE-2013-4363)

Summary: CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bdunne, bhu, bkearney, bleanhar, ccoleman, chrisw, cpelland, dallan, dmcphers, drieden, esammons, gkotton, gmollett, hateya, iboverma, jdetiber, jfrey, jialiu, jkurik, jomara, jrafanie, jross, jrusnack, katello-bugs, kseifried, lhh, lmeyer, markmc, mastahnke, matt, mcressma, mmaslano, mmccune, mrg-program-list, mtasaka, nobody+bgollahe, obarenbo, pfrields, rbryant, rhos-maint, sclewis, tdawson, tkramer, vanmeeuwen+fedora, vondruch, williams, xlecauch, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygems 2.1.5, rubygems 2.0.10, rubygems 1.8.27, rubygems 1.8.23.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-02 08:38:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1002838, 1002839, 1002841, 1002842, 1002843, 1002845, 1002847, 1002848, 1005269, 1006429, 1006440, 1012267, 1012780, 1012789    
Bug Blocks: 1002366    

Description Kurt Seifried 2013-09-19 01:48:48 UTC 
RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to a backtracking regular expression.  For specially
crafted RubyGems versions attackers can cause denial of service through CPU
consumption.

An initial attempt to fix this (CVE-2013-4287) was made however the regex used 
was found to be insufficient and still allowed for a denial of service to occur. 

http://seclists.org/oss-sec/2013/q3/605
http://seclists.org/oss-sec/2013/q3/631
Comment 1 Tomas Hoger 2013-09-25 07:49:51 UTC 
CVE-2013-4287 is tracked via bug 1002364.

CVE-2013-4363 is now fixed upstream in versions: 2.1.5, 2.0.10, 1.8.27 and 1.8.23.2

External References:

http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html
Comment 2 Tomas Hoger 2013-09-25 07:50:59 UTC 
Upstream commit links:

Patch for RubyGems 2.1.x
https://github.com/rubygems/rubygems/commit/dca0500bb24c7cba5551468a1ed28388876aded2

Patch for RubyGems 2.0.x
https://github.com/rubygems/rubygems/commit/20325c134b5ca1928a15338eeb7ead1239dbf2b9

Patch for RubyGems 1.8.x
https://github.com/rubygems/rubygems/commit/f63bfbc5c7b5725def5fecd6518ce2aa49e12ecd

Patch for RubyGems 1.8.23.1
https://github.com/rubygems/rubygems/commit/56d1f8c17bc81f0eb354d5099021c498a0be9b51
Comment 5 Tomas Hoger 2013-10-02 08:38:00 UTC 
This CVE was assigned for an incomplete fix for CVE-2013-4287.  Red Hat has not yet released rubygems packages updates fixing CVE-2013-4287 incompletely, therefore no Red Hat product is affected by this new CVE-2013-4363.  Future rubygems update addressing CVE-2013-4287 will contain complete fix.

Statement:

Not vulnerable. This issue did not affect the versions of rubygems as shipped with various Red Hat products.