Bug 1013913 (CVE-2013-4389) - CVE-2013-4389 rubygem-actionmailer: email address processing DoS
Summary: CVE-2013-4389 rubygem-actionmailer: email address processing DoS
Alias: CVE-2013-4389
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1035153 1035154 1159444 1159445 1165393
Blocks: 1013914
TreeView+ depends on / blocked
Reported: 2013-10-01 03:45 UTC by Kurt Seifried
Modified: 2023-05-12 15:30 UTC (History)
35 users (show)

Fixed In Version: rubygem-actionmailer 3.2.15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-01-07 21:58:30 UTC

Attachments (Terms of Use)
3-0-log-subscriber-CVE-2013-4389.patch (4.22 KB, patch)
2013-10-15 18:24 UTC, Kurt Seifried
no flags Details | Diff
3-1-log-subscriber-CVE-2013-4389.patch (4.16 KB, patch)
2013-10-15 18:24 UTC, Kurt Seifried
no flags Details | Diff
3-2-log-subscriber-CVE-2013-4389.patch (3.91 KB, patch)
2013-10-15 18:25 UTC, Kurt Seifried
no flags Details | Diff

Description Kurt Seifried 2013-10-01 03:45:04 UTC
Aaron Patterson reports:

Possible DoS Vulnerability in Action Mailer

There is a possible DoS vulnerability in the log subscriber component of
Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2013-4389.

Versions Affected:  3.x.x
Not affected:       4.0.x, 2.3.x
Fixed Versions:     3.2.15

A carefully crafted email address in conjunction with the Action Mailer logger
format string could possibly lead to a denial of service attack.

All users running an affected release should either upgrade or use one of the
work arounds immediately. 

The FIXED releases are available at the normal locations. 

If you can't upgrade or apply patch to your system, you can work around the
issue by using the following monkey patch after requiring Action Mailer:

module ActionMailer
  class LogSubscriber < ActiveSupport::LogSubscriber
    def deliver(event)
      recipients = Array.wrap(event.payload[:to]).join(', ')
      info("\nSent mail to #{recipients} (#{event.duration.round(1)}ms)")

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset. 

* 3-2-log-subscriber.patch - Patch for 3.2 series 
* 3-1-log-subscriber.patch - Patch for 3.1 series 
* 3-0-log-subscriber.patch - Patch for 3.0 series 

Please note that only the 4.0.x, 3.2.x, and 2.3.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.


Thanks to Aaron Neyer for reporting this vulnerability!

Comment 2 Kurt Seifried 2013-10-01 03:50:38 UTC

Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Aaron Neyer as the original reporter.

Comment 4 Kurt Seifried 2013-10-15 18:24:03 UTC
Created attachment 812644 [details]

Comment 5 Kurt Seifried 2013-10-15 18:24:39 UTC
Created attachment 812645 [details]

Comment 6 Kurt Seifried 2013-10-15 18:25:13 UTC
Created attachment 812646 [details]

Comment 13 Kurt Seifried 2013-11-27 07:41:59 UTC
Created rubygem-actionmailer tracking bugs for this issue:

Affects: fedora-all [bug 1035153]

Comment 14 Fedora Update System 2014-01-24 07:50:14 UTC
rubygem-actionmailer-3.2.13-2.fc19, rubygem-actionpack-3.2.13-4.fc19, rubygem-activesupport-3.2.13-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Vincent Danen 2015-01-07 21:57:43 UTC

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue did not affect the versions of rubygem-actionmailer as shipped with Red Hat Subscription Asset Manager 1 as they do not include support for sending email using user supplied addresses.

Note You need to log in before you can comment on or make changes to this bug.