Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1232302 - (CVE-2015-3227) CVE-2015-3227 rubygem-activesupport: Possible Denial of Service attack in Active Support in merge_element()
CVE-2015-3227 rubygem-activesupport: Possible Denial of Service attack in Act...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150616,repor...
: Security
Depends On: 1249063 1249062 1249064 1249065 1249066
Blocks: 1232306
  Show dependency treegraph
 
Reported: 2015-06-16 09:00 EDT by Vasyl Kaigorodov
Modified: 2015-07-31 08:56 EDT (History)
27 users (show)

See Also:
Fixed In Version: rubygem-activesupport-4.2.2, rubygem-activesupport-4.1.11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-31 08:56:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch for ActiveSupport 3.2 (4.32 KB, application/mbox)
2015-07-31 08:42 EDT, Ján Rusnačko 		no flags Details
Patch for ActiveSupport 4.1 (4.25 KB, application/mbox)
2015-07-31 08:42 EDT, Ján Rusnačko 		no flags Details
Patch for ActiveSupport 4.2 (4.25 KB, application/mbox)
2015-07-31 08:43 EDT, Ján Rusnačko 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vasyl Kaigorodov 2015-06-16 09:00:48 EDT 
A possible denial of service attack in the XML processing in Active Support has been reported.

Specially crafted XML documents can cause applications to raise a
`SystemStackError` and potentially cause a denial of service attack.  This
only impacts applications using REXML or JDOM as their XML processor.  Other
XML processors that Rails supports are not impacted.

Workarounds 
----------- 
Use an XML parser that is not impacted by this problem, such as Nokogiri or
LibXML.  You can change the processor like this:

  ActiveSupport::XmlMini.backend = 'Nokogiri'

  If you cannot change XML parsers, then adjust
  `RUBY_THREAD_MACHINE_STACK_SIZE`.

Patches that fix this issue attached.

Acknowledgements:

Red Hat would like to thank the Ruby upstream developers for reporting this issue. Upstream acknowledges Tomek Rabczak from the NCC Group, and Matthew Draper as the original reporters.
Comment 1 Kurt Seifried 2015-06-16 15:37:54 EDT 
This is now public:

http://seclists.org/oss-sec/2015/q2/731
Comment 2 Ján Rusnačko 2015-07-31 08:42:27 EDT 
Created attachment 1058046 [details]
Patch for ActiveSupport 3.2
Comment 3 Ján Rusnačko 2015-07-31 08:42:48 EDT 
Created attachment 1058047 [details]
Patch for ActiveSupport 4.1
Comment 4 Ján Rusnačko 2015-07-31 08:43:11 EDT 
Created attachment 1058049 [details]
Patch for ActiveSupport 4.2
Comment 7 Ján Rusnačko 2015-07-31 08:50:26 EDT 
Created rubygem-activesupport tracking bugs for this issue:

Affects: fedora-all [bug 1249062]
Affects: epel-all [bug 1249063]
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.