Bug 1033460 (CVE-2013-4164)

Summary: CVE-2013-4164 ruby: heap overflow in floating point parsing
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: aortega, apevec, athomas, ayoung, bdunne, bgollahe, bkabrda, bkearney, bleanhar, ccoleman, chrisw, cpelland, dmcphers, drieden, gkotton, jdetiber, jfrey, jialiu, jkurik, jrafanie, jrusnack, katello-bugs, kseifried, lhh, lmeyer, markmc, mmaslano, mmccune, mmcgrath, mmorsi, moshiro, mtasaka, nobody+bgollahe, obarenbo, ohadlevy, postmodern.mod3, rbryant, rhos-maint, sclewis, srevivo, tagoh, tdawson, vanmeeuwen+fedora, vondruch, xlecauch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ruby 1.9.3-p484, ruby 2.0.0-p353 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-19 03:28:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1033488, 1033492, 1033500, 1033502, 1033503, 1033546, 1033621, 1033623, 1033624, 1033859, 1033860, 1033862, 1033863, 1033865, 1033866, 1033867, 1033906, 1159431, 1159432    
Bug Blocks: 1033464, 1033487, 1239193    

Description Murray McAllister 2013-11-22 07:09:32 UTC 
Ruby Programming Language Project reports:

https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/

  Heap Overflow in Floating Point Parsing (CVE-2013-4164)

  There is an overflow in floating point number parsing in Ruby. This
  vulnerability has been assigned the CVE identifier CVE-2013-4164.

  Details
  Any time a string is converted to a floating point value, a specially
  crafted string can cause a heap overflow. This can lead to a denial of
  service attack via segmentation faults and possibly arbitrary code execution.
  Any program that converts input of unknown origin to floating point values
  (especially common when accepting JSON) are vulnerable.

  Vulnerable code looks something like this:

    untrusted_data.to_f

  But any code that produces floating point values from external data is
  vulnerable, such as this:

    JSON.parse untrusted_data

  Note that this bug is similar to CVE-2009-0689.

  All users running an affected release should upgrade to the fixed versions
  of ruby.

  Affected versions

  All ruby 1.8 versions
  All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 484
  All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 353
  All ruby 2.1 versions prior to ruby 2.1.0 preview1 prior to trunk revision
  43780

  Solutions

  All users are recommended to upgrade to Ruby 1.9.3 patchlevel 484,
  ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2.

  Please note that ruby 1.8 series or any earlier releases are already
  obsoleted. There is no plan to release new fixed versions for them. Users of
  such versions are advised to upgrade as soon as possible as we cannot
  guarantee the continued availability of security fixes for unsupported
  releases.

  Credits
  Thanks to Charlie Somerville for reporting this issue!

Upstream announcements of fixed versions 1.9.3p484 and 2.0.0p353:
https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/
https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/

Upstream commits (trunk, 1.9.3 and 2.0.0):
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43775
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43776
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43778

GitHub repositories mirror commits:
https://github.com/ruby/ruby/commit/5cb83d9dab13e14e6146f455ffd9fed4254d238f
https://github.com/ruby/ruby/commit/60c29bbbf6574e0e947c56e71c3c3ca11620ee15
https://github.com/ruby/ruby/commit/46cd2f463c5668f53436076e67db59fdc33ff384

External references:
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
Comment 3 Tomas Hoger 2013-11-22 09:06:26 UTC 
Additional follow up fix (trunk, 1.9.3 and 2.0.0):
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43780
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43783
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43784
Comment 6 Tomas Hoger 2013-11-22 10:55:50 UTC 
Ruby versions in Red Hat Enterprise Linux 5 and earlier use different strtod implementation.  The current implementation was introduced via the following commits (trunk, 1.8):
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=13131
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=16342
Comment 7 Tomas Hoger 2013-11-22 11:02:58 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1033546]
Comment 17 errata-xmlrpc 2013-11-25 19:02:48 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1764 https://rhn.redhat.com/errata/RHSA-2013-1764.html
Comment 18 errata-xmlrpc 2013-11-25 19:04:28 UTC 
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2013:1763 https://rhn.redhat.com/errata/RHSA-2013-1763.html
Comment 19 errata-xmlrpc 2013-11-26 18:49:02 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only

Via RHSA-2013:1767 https://rhn.redhat.com/errata/RHSA-2013-1767.html
Comment 20 postmodern 2013-11-30 23:11:48 UTC 
When will we see an update for Fedora 19? The ruby package is still at 2.0.0-p247.
Comment 21 Sam Kottler 2013-12-01 20:18:33 UTC 
There is a pending update for F19 - https://admin.fedoraproject.org/updates/FEDORA-2013-22423/ruby-2.0.0.353-16.fc19. Please test!
Comment 22 Tomas Hoger 2013-12-11 14:49:01 UTC 
(In reply to Tomas Hoger from comment #6)
> Ruby versions in Red Hat Enterprise Linux 5 and earlier use different strtod
> implementation.  The current implementation was introduced via the following
> commits (trunk, 1.8):
> http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=13131
> http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=16342

Upstream advisory (see comment 0 for direct link) previously used to list all 1.8 versions as affected.  It has been updated to take the above information into account.  New strtod implementation was introduced upstream in version 1.8.6-p230 and is also included in 1.8.7.  The ruby packages in Red Hat Enterprise Linux 5 are based on older upstream version 1.8.5.

Statement:

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5.
Comment 23 errata-xmlrpc 2014-01-07 18:09:12 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0011 https://rhn.redhat.com/errata/RHSA-2014-0011.html
Comment 24 Tomas Hoger 2014-02-17 09:59:30 UTC 
HackerOne report:
https://hackerone.com/reports/499
Comment 25 errata-xmlrpc 2014-03-11 16:57:28 UTC 
This issue has been addressed in following products:

  CloudForms Management Engine 5.x

Via RHSA-2014:0215 https://rhn.redhat.com/errata/RHSA-2014-0215.html
Comment 27 Kurt Seifried 2014-09-06 00:41:33 UTC 
SAM-1 does not appear to use to_f with any user supplied code, ditto for OpenShift Enterprise 1, this issue is being deferred for both, a later update may address this issue.