Bug 1033460 (CVE-2013-4164) - CVE-2013-4164 ruby: heap overflow in floating point parsing
Summary: CVE-2013-4164 ruby: heap overflow in floating point parsing
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4164
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1033488 1033492 1033500 1033502 1033503 1033546 1033621 1033623 1033624 1033859 1033860 1033862 1033863 1033865 1033866 1033867 1033906 1159431 1159432
Blocks: 1033464 1033487 1239193
TreeView+ depends on / blocked
 
Reported: 2013-11-22 07:09 UTC by Murray McAllister
Modified: 2021-02-17 07:09 UTC (History)
45 users (show)

Fixed In Version: ruby 1.9.3-p484, ruby 2.0.0-p353
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-19 03:28:04 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1763 0 normal SHIPPED_LIVE Critical: ruby193-ruby security update 2013-11-26 00:01:07 UTC
Red Hat Product Errata RHSA-2013:1764 0 normal SHIPPED_LIVE Critical: ruby security update 2013-11-26 00:00:54 UTC
Red Hat Product Errata RHSA-2013:1767 0 normal SHIPPED_LIVE Critical: ruby security update 2013-11-26 23:47:04 UTC
Red Hat Product Errata RHSA-2014:0011 0 normal SHIPPED_LIVE Critical: ruby193-ruby security update 2014-01-07 23:07:26 UTC
Red Hat Product Errata RHSA-2014:0215 0 normal SHIPPED_LIVE Critical: cfme security, bug fix, and enhancement update 2014-03-11 20:56:48 UTC

Description Murray McAllister 2013-11-22 07:09:32 UTC
Ruby Programming Language Project reports:

https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/

  Heap Overflow in Floating Point Parsing (CVE-2013-4164)

  There is an overflow in floating point number parsing in Ruby. This
  vulnerability has been assigned the CVE identifier CVE-2013-4164.

  Details
  Any time a string is converted to a floating point value, a specially
  crafted string can cause a heap overflow. This can lead to a denial of
  service attack via segmentation faults and possibly arbitrary code execution.
  Any program that converts input of unknown origin to floating point values
  (especially common when accepting JSON) are vulnerable.

  Vulnerable code looks something like this:

    untrusted_data.to_f

  But any code that produces floating point values from external data is
  vulnerable, such as this:

    JSON.parse untrusted_data

  Note that this bug is similar to CVE-2009-0689.

  All users running an affected release should upgrade to the fixed versions
  of ruby.

  Affected versions

  All ruby 1.8 versions
  All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 484
  All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 353
  All ruby 2.1 versions prior to ruby 2.1.0 preview1 prior to trunk revision
  43780

  Solutions

  All users are recommended to upgrade to Ruby 1.9.3 patchlevel 484,
  ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2.

  Please note that ruby 1.8 series or any earlier releases are already
  obsoleted. There is no plan to release new fixed versions for them. Users of
  such versions are advised to upgrade as soon as possible as we cannot
  guarantee the continued availability of security fixes for unsupported
  releases.

  Credits
  Thanks to Charlie Somerville for reporting this issue!

Upstream announcements of fixed versions 1.9.3p484 and 2.0.0p353:
https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/
https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/

Upstream commits (trunk, 1.9.3 and 2.0.0):
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43775
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43776
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43778

GitHub repositories mirror commits:
https://github.com/ruby/ruby/commit/5cb83d9dab13e14e6146f455ffd9fed4254d238f
https://github.com/ruby/ruby/commit/60c29bbbf6574e0e947c56e71c3c3ca11620ee15
https://github.com/ruby/ruby/commit/46cd2f463c5668f53436076e67db59fdc33ff384

External references:
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/

Comment 6 Tomas Hoger 2013-11-22 10:55:50 UTC
Ruby versions in Red Hat Enterprise Linux 5 and earlier use different strtod implementation.  The current implementation was introduced via the following commits (trunk, 1.8):
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=13131
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=16342

Comment 7 Tomas Hoger 2013-11-22 11:02:58 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1033546]

Comment 17 errata-xmlrpc 2013-11-25 19:02:48 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1764 https://rhn.redhat.com/errata/RHSA-2013-1764.html

Comment 18 errata-xmlrpc 2013-11-25 19:04:28 UTC
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2013:1763 https://rhn.redhat.com/errata/RHSA-2013-1763.html

Comment 19 errata-xmlrpc 2013-11-26 18:49:02 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only

Via RHSA-2013:1767 https://rhn.redhat.com/errata/RHSA-2013-1767.html

Comment 20 postmodern 2013-11-30 23:11:48 UTC
When will we see an update for Fedora 19? The ruby package is still at 2.0.0-p247.

Comment 21 Sam Kottler 2013-12-01 20:18:33 UTC
There is a pending update for F19 - https://admin.fedoraproject.org/updates/FEDORA-2013-22423/ruby-2.0.0.353-16.fc19. Please test!

Comment 22 Tomas Hoger 2013-12-11 14:49:01 UTC
(In reply to Tomas Hoger from comment #6)
> Ruby versions in Red Hat Enterprise Linux 5 and earlier use different strtod
> implementation.  The current implementation was introduced via the following
> commits (trunk, 1.8):
> http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=13131
> http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=16342

Upstream advisory (see comment 0 for direct link) previously used to list all 1.8 versions as affected.  It has been updated to take the above information into account.  New strtod implementation was introduced upstream in version 1.8.6-p230 and is also included in 1.8.7.  The ruby packages in Red Hat Enterprise Linux 5 are based on older upstream version 1.8.5.

Statement:

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5.

Comment 23 errata-xmlrpc 2014-01-07 18:09:12 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0011 https://rhn.redhat.com/errata/RHSA-2014-0011.html

Comment 24 Tomas Hoger 2014-02-17 09:59:30 UTC
HackerOne report:
https://hackerone.com/reports/499

Comment 25 errata-xmlrpc 2014-03-11 16:57:28 UTC
This issue has been addressed in following products:

  CloudForms Management Engine 5.x

Via RHSA-2014:0215 https://rhn.redhat.com/errata/RHSA-2014-0215.html

Comment 27 Kurt Seifried 2014-09-06 00:41:33 UTC
SAM-1 does not appear to use to_f with any user supplied code, ditto for OpenShift Enterprise 1, this issue is being deferred for both, a later update may address this issue.


Note You need to log in before you can comment on or make changes to this bug.