Bug 1487552 (CVE-2017-14064) - CVE-2017-14064 ruby: Arbitrary heap exposure during a JSON.generate call
Summary: CVE-2017-14064 ruby: Arbitrary heap exposure during a JSON.generate call
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-14064
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20170302,reported=2...
Depends On: 1487553 1487554 1489642 1489643 1489644 1489645 1509450 1509451 1534437 1534438 1534937 1534938 1534940 1534941
Blocks: 1487556
TreeView+ depends on / blocked
 
Reported: 2017-09-01 09:08 UTC by Adam Mariš
Modified: 2019-06-08 22:17 UTC (History)
30 users (show)

Fixed In Version: ruby 2.4.2, ruby 2.3.5, ruby 2.2.8
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory.
Clone Of:
Environment:
Last Closed: 2017-12-19 17:08:26 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3485 normal SHIPPED_LIVE Moderate: rh-ruby24-ruby security, bug fix, and enhancement update 2017-12-19 13:37:01 UTC
Red Hat Product Errata RHSA-2018:0378 normal SHIPPED_LIVE Important: ruby security update 2018-03-01 01:06:17 UTC
Red Hat Product Errata RHSA-2018:0583 None None None 2018-03-26 09:43:19 UTC
Red Hat Product Errata RHSA-2018:0585 None None None 2018-03-26 10:21:29 UTC

Description Adam Mariš 2017-09-01 09:08:12 UTC
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can
expose arbitrary memory during a JSON.generate call. The issues lies in
using strdup in ext/json/ext/generator/generator.c, which will stop
after encountering a '\0' byte, returning a pointer to a string of
length zero, which is not the length stored in space_len.

Upstream patch:

https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85

References:

https://bugs.ruby-lang.org/issues/13853
https://hackerone.com/reports/209949

Comment 1 Adam Mariš 2017-09-01 09:08:30 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1487553]


Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1487554]

Comment 2 Doran Moppert 2017-09-06 04:26:39 UTC
This is triggered by passing a string containing \0 in the "opts" argument to JSON.generate - the object being serialised cannot cause memory disclosure to occur.  Normally, this argument can not be influenced by users or potential attackers.

Comment 4 Adam Mariš 2017-09-15 09:21:20 UTC
External References:

https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064/

Comment 7 errata-xmlrpc 2017-12-19 08:37:26 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3485 https://access.redhat.com/errata/RHSA-2017:3485

Comment 8 Cedric Buissart 🐶 2017-12-19 17:06:53 UTC
Statement:

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5, and 6. These versions do not include the JSON module.

This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 7, as well as the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 10 errata-xmlrpc 2018-02-28 20:01:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0378

Comment 13 errata-xmlrpc 2018-03-26 09:43:07 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0583

Comment 14 errata-xmlrpc 2018-03-26 10:21:17 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0585 https://access.redhat.com/errata/RHSA-2018:0585


Note You need to log in before you can comment on or make changes to this bug.