Bug 1013913 (CVE-2013-4389)

Summary: CVE-2013-4389 rubygem-actionmailer: email address processing DoS
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aortega, apevec, athomas, ayoung, bdunne, bkearney, bleanhar, ccoleman, chrisw, cpelland, dmcphers, drieden, gkotton, iheim, jdetiber, jfrey, jialiu, jrafanie, jrusnack, kseifried, lhh, lmeyer, markmc, mmaslano, mmccune, mmcgrath, nobody+bgollahe, obarenbo, rbryant, sclewis, security-response-team, tdawson, vondruch, xlecauch, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-actionmailer 3.2.15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-07 21:58:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1035153, 1035154, 1159444, 1159445, 1165393    
Bug Blocks: 1013914    
Attachments:
Description Flags
3-0-log-subscriber-CVE-2013-4389.patch
none
3-1-log-subscriber-CVE-2013-4389.patch
none
3-2-log-subscriber-CVE-2013-4389.patch none

Description Kurt Seifried 2013-10-01 03:45:04 UTC 
Aaron Patterson reports:

Possible DoS Vulnerability in Action Mailer

There is a possible DoS vulnerability in the log subscriber component of
Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2013-4389.

Versions Affected:  3.x.x
Not affected:       4.0.x, 2.3.x
Fixed Versions:     3.2.15

Impact 
------ 
A carefully crafted email address in conjunction with the Action Mailer logger
format string could possibly lead to a denial of service attack.

All users running an affected release should either upgrade or use one of the
work arounds immediately. 

Releases 
-------- 
The FIXED releases are available at the normal locations. 

Workarounds 
----------- 
If you can't upgrade or apply patch to your system, you can work around the
issue by using the following monkey patch after requiring Action Mailer:

```ruby
module ActionMailer
  class LogSubscriber < ActiveSupport::LogSubscriber
    def deliver(event)
      recipients = Array.wrap(event.payload[:to]).join(', ')
      info("\nSent mail to #{recipients} (#{event.duration.round(1)}ms)")
      debug(event.payload[:mail])
    end
  end
end
```

Patches 
------- 
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset. 

* 3-2-log-subscriber.patch - Patch for 3.2 series 
* 3-1-log-subscriber.patch - Patch for 3.1 series 
* 3-0-log-subscriber.patch - Patch for 3.0 series 

Please note that only the 4.0.x, 3.2.x, and 2.3.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits 
------- 

Thanks to Aaron Neyer for reporting this vulnerability!
Comment 2 Kurt Seifried 2013-10-01 03:50:38 UTC 
Acknowledgements:

Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Aaron Neyer as the original reporter.
Comment 4 Kurt Seifried 2013-10-15 18:24:03 UTC 
Created attachment 812644 [details]
3-0-log-subscriber-CVE-2013-4389.patch
Comment 5 Kurt Seifried 2013-10-15 18:24:39 UTC 
Created attachment 812645 [details]
3-1-log-subscriber-CVE-2013-4389.patch
Comment 6 Kurt Seifried 2013-10-15 18:25:13 UTC 
Created attachment 812646 [details]
3-2-log-subscriber-CVE-2013-4389.patch
Comment 13 Kurt Seifried 2013-11-27 07:41:59 UTC 
Created rubygem-actionmailer tracking bugs for this issue:

Affects: fedora-all [bug 1035153]
Comment 14 Fedora Update System 2014-01-24 07:50:14 UTC 
rubygem-actionmailer-3.2.13-2.fc19, rubygem-actionpack-3.2.13-4.fc19, rubygem-activesupport-3.2.13-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Vincent Danen 2015-01-07 21:57:43 UTC 
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue did not affect the versions of rubygem-actionmailer as shipped with Red Hat Subscription Asset Manager 1 as they do not include support for sending email using user supplied addresses.