Bug 1232292 (CVE-2015-3225)

Summary: CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params()
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apatters, apevec, ayoung, bhu, bkearney, bleanhar, carnil, cbillett, ccoleman, chrisw, cpelland, cperry, dajohnso, dallan, dclarizi, dmcphers, esammons, gkotton, gmccullo, iboverma, jdetiber, jhardy, jialiu, jkeck, jliggitt, joelsmith, jokerman, jorton, jprause, jross, jrusnack, jvlcek, kseifried, lhh, lmeyer, lpeer, markmc, matt, mburns, mcressma, mmaslano, mmccomas, mmccune, obarenbo, ohadlevy, rbryant, sclewis, security-response-team, tjay, tomckay, vondruch, williams, xlecauch, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-rack-1.6.2, rubygem-rack-1.5.4 Doc Type: Bug Fix
Doc Text:
A flaw was found in a way Rack processed parameters of incoming requests. An attacker could use this flaw to send a crafted request that would cause an application using Rack to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-04 06:18:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1232644, 1248923, 1248924, 1248925, 1248926, 1248927    
Bug Blocks: 1210268, 1232293    
Attachments:
Description Flags
1-5-deep_params.patch
none
1-6-deep_params.patch none

Description Vasyl Kaigorodov 2015-06-16 12:43:58 UTC 
A potential denial of service vulnerability in Rack was reported.
Carefully crafted requests can cause a `SystemStackError` and potentially cause a denial of service attack.

Patches that fix this are attached.

Acknowledgements:

Red Hat would like to thank Ruby upstream developers for reporting this. Upstream acknowledges Tomek Rabczak from the NCC Group as the original reporter.
Comment 1 Vasyl Kaigorodov 2015-06-16 12:45:52 UTC 
Created attachment 1039440 [details]
1-5-deep_params.patch
Comment 2 Vasyl Kaigorodov 2015-06-16 12:46:10 UTC 
Created attachment 1039441 [details]
1-6-deep_params.patch
Comment 3 Kurt Seifried 2015-06-16 19:35:34 UTC 
This is public now:

http://seclists.org/oss-sec/2015/q2/729
Comment 4 Ján Rusnačko 2015-07-31 07:20:32 UTC 
From upstream advisory:

"Versions Affected:  All.
Not affected:       None.
Fixed Versions:     1.6.2, 1.5.4

Impact 
------ 
Carefully crafted requests can cause a `SystemStackError` and potentially
cause a denial of service attack.

All users running an affected release should either upgrade or use one of the workarounds immediately. 

Releases 
-------- 
The FIXED releases are available at the normal locations. 

Workarounds 
----------- 
There are no feasible workarounds for this issue. "


External References:
https://groups.google.com/forum/#!msg/rubyonrails-security/gcUbICUmKMc/qiCotVZwXrMJ
Comment 8 Ján Rusnačko 2015-07-31 07:27:29 UTC 
Created rubygem-rack tracking bugs for this issue:

Affects: fedora-all [bug 1248923]
Affects: epel-all [bug 1248924]
Comment 10 Fedora Update System 2015-08-19 08:09:17 UTC 
rubygem-rack-1.6.1-2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-08-27 23:49:23 UTC 
rubygem-rack-1.5.2-5.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 errata-xmlrpc 2015-11-19 09:37:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2290 https://rhn.redhat.com/errata/RHSA-2015-2290.html