Red Hat Bugzilla – Bug 1009720
CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
Last modified: 2016-04-26 20:29:46 EDT
RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to a backtracking regular expression. For specially
crafted RubyGems versions attackers can cause denial of service through CPU
An initial attempt to fix this (CVE-2013-4287) was made however the regex used
was found to be insufficient and still allowed for a denial of service to occur.
CVE-2013-4287 is tracked via bug 1002364.
CVE-2013-4363 is now fixed upstream in versions: 2.1.5, 2.0.10, 1.8.27 and 220.127.116.11
Upstream commit links:
Patch for RubyGems 2.1.x
Patch for RubyGems 2.0.x
Patch for RubyGems 1.8.x
Patch for RubyGems 18.104.22.168
This CVE was assigned for an incomplete fix for CVE-2013-4287. Red Hat has not yet released rubygems packages updates fixing CVE-2013-4287 incompletely, therefore no Red Hat product is affected by this new CVE-2013-4363. Future rubygems update addressing CVE-2013-4287 will contain complete fix.
Not vulnerable. This issue did not affect the versions of rubygems as shipped with various Red Hat products.