Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1487552 - (CVE-2017-14064) CVE-2017-14064 ruby: Arbitrary heap exposure during a JSON.generate call
CVE-2017-14064 ruby: Arbitrary heap exposure during a JSON.generate call
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20170302,reported=2...
: Security
Depends On: 1487553 1487554 1489642 1489643 1489644 1489645 1509450 1509451 1534437 1534438 1534937 1534938 1534940 1534941
Blocks: 1487556
  Show dependency treegraph
 
Reported: 2017-09-01 05:08 EDT by Adam Mariš
Modified: 2018-03-26 06:21 EDT (History)
30 users (show)

See Also:
Fixed In Version: ruby 2.4.2, ruby 2.3.5, ruby 2.2.8
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-12-19 12:08:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3485 normal SHIPPED_LIVE Moderate: rh-ruby24-ruby security, bug fix, and enhancement update 2017-12-19 08:37:01 EST
Red Hat Product Errata RHSA-2018:0378 normal SHIPPED_LIVE Important: ruby security update 2018-02-28 20:06:17 EST
Red Hat Product Errata RHSA-2018:0583 None None None 2018-03-26 05:43 EDT
Red Hat Product Errata RHSA-2018:0585 None None None 2018-03-26 06:21 EDT

  None (edit)
Description Adam Mariš 2017-09-01 05:08:12 EDT 
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can
expose arbitrary memory during a JSON.generate call. The issues lies in
using strdup in ext/json/ext/generator/generator.c, which will stop
after encountering a '\0' byte, returning a pointer to a string of
length zero, which is not the length stored in space_len.

Upstream patch:

https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85

References:

https://bugs.ruby-lang.org/issues/13853
https://hackerone.com/reports/209949
Comment 1 Adam Mariš 2017-09-01 05:08:30 EDT 
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1487553]


Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1487554]
Comment 2 Doran Moppert 2017-09-06 00:26:39 EDT 
This is triggered by passing a string containing \0 in the "opts" argument to JSON.generate - the object being serialised cannot cause memory disclosure to occur.  Normally, this argument can not be influenced by users or potential attackers.
Comment 4 Adam Mariš 2017-09-15 05:21:20 EDT 
External References:

https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064/
Comment 7 errata-xmlrpc 2017-12-19 03:37:26 EST 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3485 https://access.redhat.com/errata/RHSA-2017:3485
Comment 8 Cedric Buissart 2017-12-19 12:06:53 EST 
Statement:

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5, and 6. These versions do not include the JSON module.

This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 7, as well as the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 10 errata-xmlrpc 2018-02-28 15:01:21 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0378
Comment 13 errata-xmlrpc 2018-03-26 05:43:07 EDT 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0583
Comment 14 errata-xmlrpc 2018-03-26 06:21:17 EDT 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0585 https://access.redhat.com/errata/RHSA-2018:0585
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.