Bug 504958 (CVE-2009-1904)
| Summary: | CVE-2009-1904 ruby: DoS vulnerability in BigDecimal | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | amarecek, andrew, jeremy, kreilly, mjc, mtasaka, rhelbugzilla, tagoh, vanmeeuwen+fedora, vdanen | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-04-22 15:40:34 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 505085, 505086, 505087, 505088 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Tomas Hoger
2009-06-10 08:19:56 UTC
Affects ruby packages shipped in Red Hat Enterprise Linux 4 and 5, and all current Fedora versions (F9 - F12). ruby packages in Red Hat Enterprise Linux 3 are not affected, as they do not have BigDecimal implemented. As noted in the upstream advisory, this can be used to test:
ruby -r bigdecimal -e 'BigDecimal("9E69999999").to_s("F")'
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1140 https://rhn.redhat.com/errata/RHSA-2009-1140.html Created attachment 350939 [details]
Fix's a problem with dropping leading zeros after the decimal point in bigdecimal
Patch to apply on top of ruby-1.8.5-bigdecimal-CVE-2009-1904.patch
OK, that didn't quite go to plan.
(Reason for the attached patch)
We discovered a problem with this update (to RHEL 5 at least)
irb(main):002:0> require 'bigdecimal'; Float(BigDecimal("49.06"))
=> 49.6
Notice how the leading 0 from .06 has been dropped.
We tracked this down to the ruby-1.8.5-bigdecimal-CVE-2009-1904.patch patch.
Specifically the last two hunks making changes to
VpToString(Real *a,char *psz,int fFmt,int fPlus)
If we revert those changes (see the attached patch) then we get back the expected behaviour.
irb(main):011:0> require 'bigdecimal'; Float(BigDecimal("49.06"))
=> 49.06
It also still survives the DOS attack.
Cheers,
Andrew
(In reply to comment #6) > We discovered a problem with this update (to RHEL 5 at least) Confirmed on RHEL-4 too, does not seem to affect upstream 1.8.6.369. Created separate tracking bugs for the regression: - RHEL-5 - bug #510277 - RHEL-4 - bug #510278 This issue still affects Fedora 10. Was it the intention not to fix it? Currently it is at 1.8.6.368 (in testing). Fedora 11 and 12 have new enough versions to correct this. Fixed in ruby-1.8.6.368-2.fc10 http://koji.fedoraproject.org/koji/buildinfo?buildID=144915 For F-10 currently there is long-term testing upgrade https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5752 (submitted by kanarip). Should I submit push request regardless of this previous updates request? I'm not sure how Fedora works for that kind of thing, but if you can somehow replace that update request with yours, that has this fixed, that would probably be ideal. Thanks! kanarip, how do you think? (Ah, kanarip seems to be on FUDCon) Well, as F-10 updates request will be closed soon, I will submit it. ruby-1.8.6.368-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ruby-1.8.6.368-2.fc10 ruby-1.8.6.368-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |