1232302 – (CVE-2015-3227) CVE-2015-3227 rubygem-activesupport: Possible Denial of Service attack in Active Support in merge_element()

Bug 1232302 (CVE-2015-3227) - CVE-2015-3227 rubygem-activesupport: Possible Denial of Service attack in Active Support in merge_element()

Summary: CVE-2015-3227 rubygem-activesupport: Possible Denial of Service attack in Act...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2015-3227
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1249062 1249063 1249064 1249065 1249066
Blocks:	1232306
TreeView+	depends on / blocked

Reported:	2015-06-16 13:00 UTC by Vasyl Kaigorodov
Modified:	2023-05-12 09:40 UTC (History)
CC List:	27 users (show)
Fixed In Version:	rubygem-activesupport-4.2.2, rubygem-activesupport-4.1.11
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-07-31 12:56:31 UTC
Embargoed:

Attachments	(Terms of Use)
Patch for ActiveSupport 3.2 (4.32 KB, application/mbox) 2015-07-31 12:42 UTC, Ján Rusnačko	no flags	Details
Patch for ActiveSupport 4.1 (4.25 KB, application/mbox) 2015-07-31 12:42 UTC, Ján Rusnačko	no flags	Details
Patch for ActiveSupport 4.2 (4.25 KB, application/mbox) 2015-07-31 12:43 UTC, Ján Rusnačko	no flags	Details
View All

Description Vasyl Kaigorodov 2015-06-16 13:00:48 UTC

A possible denial of service attack in the XML processing in Active Support has been reported.

Specially crafted XML documents can cause applications to raise a
`SystemStackError` and potentially cause a denial of service attack.  This
only impacts applications using REXML or JDOM as their XML processor.  Other
XML processors that Rails supports are not impacted.

Workarounds 
----------- 
Use an XML parser that is not impacted by this problem, such as Nokogiri or
LibXML.  You can change the processor like this:

  ActiveSupport::XmlMini.backend = 'Nokogiri'

  If you cannot change XML parsers, then adjust
  `RUBY_THREAD_MACHINE_STACK_SIZE`.

Patches that fix this issue attached.

Acknowledgements:

Red Hat would like to thank the Ruby upstream developers for reporting this issue. Upstream acknowledges Tomek Rabczak from the NCC Group, and Matthew Draper as the original reporters.

Comment 1 Kurt Seifried 2015-06-16 19:37:54 UTC

This is now public:

http://seclists.org/oss-sec/2015/q2/731

Comment 2 Ján Rusnačko 2015-07-31 12:42:27 UTC

Created attachment 1058046 [details]
Patch for ActiveSupport 3.2

Comment 3 Ján Rusnačko 2015-07-31 12:42:48 UTC

Created attachment 1058047 [details]
Patch for ActiveSupport 4.1

Comment 4 Ján Rusnačko 2015-07-31 12:43:11 UTC

Created attachment 1058049 [details]
Patch for ActiveSupport 4.2

Comment 7 Ján Rusnačko 2015-07-31 12:50:26 UTC

Created rubygem-activesupport tracking bugs for this issue:

Affects: fedora-all [bug 1249062]
Affects: epel-all [bug 1249063]

Note You need to log in before you can comment on or make changes to this bug.

apatters
bkearney
carnil
cbillett
ccoleman
dajohnso
dclarizi
dmcphers
gmccullo
jhardy
jialiu
joelsmith
jokerman
jorton
jprause
jrafanie
jrusnack
jvlcek
kseifried
lmeyer
mmaslano
mmccomas
obarenbo
security-response-team
tomckay
vondruch
xlecauch