Bug 1009720 - (CVE-2013-4363) CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, i...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130915,repor...
: Security
Depends On: 1002838 1002839 1002841 1002842 1002843 1002845 1002847 1002848 1005269 1006429 1006440 1012267 1012780 1012789
Blocks: 1002366
  Show dependency treegraph
 
Reported: 2013-09-18 21:48 EDT by Kurt Seifried
Modified: 2016-04-26 20:29 EDT (History)
52 users (show)

See Also:
Fixed In Version: rubygems 2.1.5, rubygems 2.0.10, rubygems 1.8.27, rubygems 1.8.23.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-02 04:38:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-09-18 21:48:48 EDT
RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to a backtracking regular expression.  For specially
crafted RubyGems versions attackers can cause denial of service through CPU
consumption.

An initial attempt to fix this (CVE-2013-4287) was made however the regex used 
was found to be insufficient and still allowed for a denial of service to occur. 

http://seclists.org/oss-sec/2013/q3/605
http://seclists.org/oss-sec/2013/q3/631
Comment 1 Tomas Hoger 2013-09-25 03:49:51 EDT
CVE-2013-4287 is tracked via bug 1002364.

CVE-2013-4363 is now fixed upstream in versions: 2.1.5, 2.0.10, 1.8.27 and 1.8.23.2

External References:

http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html
Comment 5 Tomas Hoger 2013-10-02 04:38:00 EDT
This CVE was assigned for an incomplete fix for CVE-2013-4287.  Red Hat has not yet released rubygems packages updates fixing CVE-2013-4287 incompletely, therefore no Red Hat product is affected by this new CVE-2013-4363.  Future rubygems update addressing CVE-2013-4287 will contain complete fix.

Statement:

Not vulnerable. This issue did not affect the versions of rubygems as shipped with various Red Hat products.

Note You need to log in before you can comment on or make changes to this bug.