Bug 909029 (CVE-2013-0269)
Summary: | CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> | ||||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||||
Severity: | medium | Docs Contact: | |||||||||||
Priority: | medium | ||||||||||||
Version: | unspecified | CC: | aneelica, bbuckingham, bcourt, bhu, bkabrda, bkearney, bleanhar, btotty, ccoleman, clalancette, cpelland, dajohnso, djorm, dmcphers, esammons, hhudgeon, iboverma, jbpapp-maint, jeckersb, jeremy, jialiu, jlieskov, jneedle, jomara, jross, jstribny, katello-bugs, katello-internal, kyoshida, lmeyer, lxtnow, lzap, mastahnke, matt, mcressma, mfojtik, mgoldman, mjc, mmccune, mmorsi, morazi, mrg-program-list, msuchy, mtasaka, nmoumoul, nwallace, rchan, rcvalle, rjerrido, sclewis, sebastien.olivier, security-response-team, soa-p-jira, sokeeffe, tagoh, tcunning, tdawson, tkramer, vanmeeuwen+fedora, vondruch, weli, williams, yjog, ytale | ||||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||||
Target Release: | --- | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2013-09-03 04:56:26 UTC | Type: | --- | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | 909031, 909033, 909035, 909036, 910313, 910314, 910315, 974094, 978171, 995670 | ||||||||||||
Bug Blocks: | 910299, 925673, 958335, 978151, 980652, 981152 | ||||||||||||
Attachments: |
|
Description
Kurt Seifried
2013-02-08 05:19:00 UTC
Created attachment 694933 [details]
rubygem-json-1-5-CVE-2013-0269.patch
Created attachment 694934 [details]
rubygem-json-1-6-CVE-2013-0269.patch
Created attachment 694936 [details]
rubygem-json-1-7-CVE-2013-0269.patch
Public via: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58 http://thread.gmane.org/gmane.comp.security.oss.general/9352 Created ruby tracking bugs for this issue Affects: fedora-all [bug 910314] Created rubygem-json tracking bugs for this issue Affects: fedora-all [bug 910313] Affects: epel-all [bug 910315] Created attachment 696457 [details] Updated patch for 1.7 version Updated patch for 1.7 version from: [1] http://www.openwall.com/lists/oss-security/2013/02/11/8 From [1]: Hi, I've attached an updated patch for the JSON gem. This patch is for the 1.7.x series. The difference in this patch is changing the version number. -- Aaron Patterson http://tenderlovemaking.com/ External References: http://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/ This issue has been addressed in following products: Red Hat Subscription Asset Manager 1.2 Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html Acknowledgements: Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the original reporters. This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise Via RHSA-2013:0701 https://rhn.redhat.com/errata/RHSA-2013-0701.html This issue has been addressed in following products: Fuse ESB Enterprise 7.1.0 Via RHSA-2013:1028 https://rhn.redhat.com/errata/RHSA-2013-1028.html The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates. This issue has been addressed in following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2013:1147 https://rhn.redhat.com/errata/RHSA-2013-1147.html This issue has been addressed in following products: Red Hat JBoss Fuse 6.0.0 Via RHSA-2013:1185 https://rhn.redhat.com/errata/RHSA-2013-1185.html An affected package (rubygem-json - version 1.4.6-2.el6) is still in use by Red Hat Satellite. Can someone confirms if this vulnerability is affecting Red Hat Satellite? Satellite Srpms ~~~~~~~~~~~~~~~~ * Red Hat Satellite 6: nil * Red Hat Satellite Tools 6.5/6.6/6.7/6.8: rubygem-json-1.4.6-2.el6 Following repos has this srpm: [root@rhel6u9-3 ~]# yum repolist enabled rhel-6-server-rpms Red Hat Enterprise Linux 6 Server (RPMs) rhel-6-server-satellite-tools-6.6-rpms Red Hat Satellite Tools 6.6 (for RHEL 6 Server) (RPMs) rhel-6-server-satellite-tools-6.6-source-rpms Red Hat Satellite Tools 6.6 (for RHEL 6 Server) (Source RPMs) Inspection ~~~~~~~~~~~ [1] Vulnerable files but code is absent: ext/json/ext/parser/parser.c ext/json/ext/parser/parser.rl [2] Vulnerable code from lib: lib/json/add/core.rb lib/json/common.rb lib/json/pure/parser.rb [3] Srpm 1.4.6-2 does not consist of this files: java/src/json/ext/Parser.java java/src/json/ext/Parser.rl Please note in 1.4.z-stream we ship "java stuff" with separate package - v1.4.6-java https://github.com/flori/json/releases/tag/v1.4.6-java and srpm uses 1.4.6-2.el6 without java https://github.com/flori/json/releases/tag/v1.4.6 Analysis ~~~~~~~~~ [root@rhel6u9-3 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.10 (Santiago) [root@rhel6u9-3 ~]# yum list | grep rubygem-json rubygem-json.x86_64 1.4.6-2.el6 @rhel-6-server-satellite-tools-6.6-rpms [root@rhel6u9-3 ~]# uname -a Linux redacted.redhat.com 2.6.32-696.el6.x86_64 #1 SMP Tue Feb 21 00:53:17 EST 2017 x86_64 x86_64 x86_64 GNU/Linux [root@rhel6u9-3 ~]# rvm use 2.0.0 --default Using /usr/local/rvm/gems/ruby-2.0.0-p648 [root@rhel6u9-3 ~]# ruby --version ruby 2.0.0p648 (2015-12-16 revision 53162) [x86_64-linux] [root@rhel6u9-3 ~]# irb 2.0.0-p648 :001 > require 'json' => true 2.0.0-p648 :002 > JSON.parse "{\"json_class\":\"JSON::GenericObject\",\"foo\":\"bar\"}" => {"json_class"=>"JSON::GenericObject", "foo"=>"bar"} rubygem-json should show following if we are vulnerable: [root@rhel6u9-3 ~]# irb 2.0.0-p648 :001 > require 'json' => true 2.0.0-p648 :002 > JSON.parse "{\"json_class\":\"JSON::GenericObject\",\"foo\":\"bar\"}" => #<JSON::GenericObject foo="bar"> or => ArgumentError: undefined class/module JSON::GenericObject Conclusion ~~~~~~~~~~~ Red Hat Satellite uses gem rubygem-json-1.4.6 which is less than 1.5.5, however, from analysis and inspection[3] looks like product is not vulnerable to the flaw. FYI, CVE-2020-10663 is extension of CVE-2013-0269. Since this gem is not supported from upstream now, we should update this to latest, raised regular bug for this: bug 1862203 Added Red Hat Satellite 6 into the affect list and marked that notaffected. (This may take time to populate in table) Statement: Red Hat Satellite tools ship RubyGem Json 1.4.6 which is earlier than affected 1.5.5 version however, this version of RubyGem is not affected to the flaw. We may update RubyGem in a future release. (In reply to Yadnyawalk Tale from comment #39) > Statement: > > Red Hat Satellite tools ship RubyGem Json 1.4.6 which is earlier than > affected 1.5.5 version however, this version of RubyGem is not affected to > the flaw. We may update RubyGem in a future release. Thank you all for the quick analysis, you're awesome! |