Bug 1013913 - (CVE-2013-4389) CVE-2013-4389 rubygem-actionmailer: email address processing DoS
CVE-2013-4389 rubygem-actionmailer: email address processing DoS
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1035153 1035154 1159444 1159445 1165393
Blocks: 1013914
  Show dependency treegraph
Reported: 2013-09-30 23:45 EDT by Kurt Seifried
Modified: 2016-04-27 01:24 EDT (History)
35 users (show)

See Also:
Fixed In Version: rubygem-actionmailer 3.2.15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-01-07 16:58:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
3-0-log-subscriber-CVE-2013-4389.patch (4.22 KB, patch)
2013-10-15 14:24 EDT, Kurt Seifried
no flags Details | Diff
3-1-log-subscriber-CVE-2013-4389.patch (4.16 KB, patch)
2013-10-15 14:24 EDT, Kurt Seifried
no flags Details | Diff
3-2-log-subscriber-CVE-2013-4389.patch (3.91 KB, patch)
2013-10-15 14:25 EDT, Kurt Seifried
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2013-09-30 23:45:04 EDT
Aaron Patterson reports:

Possible DoS Vulnerability in Action Mailer

There is a possible DoS vulnerability in the log subscriber component of
Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2013-4389.

Versions Affected:  3.x.x
Not affected:       4.0.x, 2.3.x
Fixed Versions:     3.2.15

A carefully crafted email address in conjunction with the Action Mailer logger
format string could possibly lead to a denial of service attack.

All users running an affected release should either upgrade or use one of the
work arounds immediately. 

The FIXED releases are available at the normal locations. 

If you can't upgrade or apply patch to your system, you can work around the
issue by using the following monkey patch after requiring Action Mailer:

module ActionMailer
  class LogSubscriber < ActiveSupport::LogSubscriber
    def deliver(event)
      recipients = Array.wrap(event.payload[:to]).join(', ')
      info("\nSent mail to #{recipients} (#{event.duration.round(1)}ms)")

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset. 

* 3-2-log-subscriber.patch - Patch for 3.2 series 
* 3-1-log-subscriber.patch - Patch for 3.1 series 
* 3-0-log-subscriber.patch - Patch for 3.0 series 

Please note that only the 4.0.x, 3.2.x, and 2.3.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.


Thanks to Aaron Neyer for reporting this vulnerability!
Comment 2 Kurt Seifried 2013-09-30 23:50:38 EDT

Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Aaron Neyer as the original reporter.
Comment 4 Kurt Seifried 2013-10-15 14:24:03 EDT
Created attachment 812644 [details]
Comment 5 Kurt Seifried 2013-10-15 14:24:39 EDT
Created attachment 812645 [details]
Comment 6 Kurt Seifried 2013-10-15 14:25:13 EDT
Created attachment 812646 [details]
Comment 13 Kurt Seifried 2013-11-27 02:41:59 EST
Created rubygem-actionmailer tracking bugs for this issue:

Affects: fedora-all [bug 1035153]
Comment 14 Fedora Update System 2014-01-24 02:50:14 EST
rubygem-actionmailer-3.2.13-2.fc19, rubygem-actionpack-3.2.13-4.fc19, rubygem-activesupport-3.2.13-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Vincent Danen 2015-01-07 16:57:43 EST

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue did not affect the versions of rubygem-actionmailer as shipped with Red Hat Subscription Asset Manager 1 as they do not include support for sending email using user supplied addresses.

Note You need to log in before you can comment on or make changes to this bug.