Bug 1002364 - (CVE-2013-4287) CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability
CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130909,repor...
: Security
Depends On: 1002838 1002839 1002841 1002842 1002843 1002844 1002845 1002847 1002848 1005269 1006429 1006440 1012267 1012780 1012789 1061934 1159439
Blocks: 1002366 1034635
  Show dependency treegraph
 
Reported: 2013-08-28 23:20 EDT by Vincent Danen
Modified: 2016-04-26 09:42 EDT (History)
53 users (show)

See Also:
Fixed In Version: rubygems 2.1.0, rubygems 2.0.8, rubygems 1.8.26, rubygems 1.8.23.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-21 02:51:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-08-28 23:20:40 EDT
RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to a backtracking regular expression.  For specially
crafted RubyGems versions attackers can cause denial of service through CPU
consumption.

RubyGems versions 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2 are vulnerable.

Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
versions of RubyGems.

It does not appear to be possible to exploit this vulnerability by installing a
gem for RubyGems 1.8.x or 2.0.x.  Vulnerable uses of RubyGems API include
packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
sending user input to Gem::Version.new, Gem::Version.correct? or use of the
Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
constants.

The vulnerability can be fixed by changing the first grouping to an atomic
grouping in Gem::Version::VERSION_PATTERN.  For RubyGems 2.0.x:

-  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
+  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:


Acknowledgements:

Red Hat would like to thank Rubygems upstream for reporting this vulnerability. Upstream acknowledges Damir Sharipov as the original reporter.
Comment 9 Tomas Hoger 2013-09-10 04:33:57 EDT
Fixed in: RubyGems 2.1.0, 2.0.8, 1.8.26 and 1.8.23.1

External references:

http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html
Comment 10 Tomas Hoger 2013-09-10 04:36:45 EDT
Patch links from the upstream announcement:

- patch for RubyGems 2.1.0.rc.2, released as RubyGems 2.1.0:
https://github.com/rubygems/rubygems/commit/938a7e31ac73655845ab9045629ff3f580a125da

- patch for RubyGems 2.0.7, released as RubyGems 2.0.8:
https://github.com/rubygems/rubygems/commit/b9baec03145aed684d1cd3c87dcac3cc06becd9b

- patch for RubyGems 1.8.25, released as RubyGems 1.8.26:
https://github.com/rubygems/rubygems/commit/ed733bc379d75620f5be4213f89d1d7b38be3191

- patch for RubyGems 1.8.23, released as RubyGems 1.8.23.1:
https://github.com/rubygems/rubygems/commit/b697536f2455e8c8853cf5cf8a1017a36031ed67
Comment 13 Tomas Hoger 2013-09-16 04:17:00 EDT
There is an indication that upstream fix does not correctly fix all cases:

http://thread.gmane.org/gmane.comp.security.oss.general/11085/focus=11114
Comment 14 Tomas Hoger 2013-09-18 05:14:02 EDT
Upstream update addressing additional concerns is expected early next week:

http://thread.gmane.org/gmane.comp.security.oss.general/11085/focus=11130
Comment 16 Tomas Hoger 2013-09-25 03:58:32 EDT
(In reply to Tomas Hoger from comment #14)
> Upstream update addressing additional concerns is expected early next week:
> 
> http://thread.gmane.org/gmane.comp.security.oss.general/11085/focus=11130

Upstream update is now available, see bug 1009720, comment 1.
Comment 20 errata-xmlrpc 2013-10-15 14:24:25 EDT
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2013:1427 https://rhn.redhat.com/errata/RHSA-2013-1427.html
Comment 21 errata-xmlrpc 2013-10-17 13:20:36 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1441 https://rhn.redhat.com/errata/RHSA-2013-1441.html
Comment 23 errata-xmlrpc 2013-11-14 12:30:53 EST
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1523 https://rhn.redhat.com/errata/RHSA-2013-1523.html
Comment 24 errata-xmlrpc 2013-12-17 13:39:16 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:1852 https://rhn.redhat.com/errata/RHSA-2013-1852.html
Comment 28 errata-xmlrpc 2014-02-24 12:57:35 EST
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.0

Via RHSA-2014:0207 https://rhn.redhat.com/errata/RHSA-2014-0207.html
Comment 29 Kurt Seifried 2014-06-25 03:51:35 EDT
Statement:

Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support
and maintenance life cycle. This has been rated as having Moderate security
impact and is not currently planned to be addressed in future updates. For
additional information, refer to the Red Hat OpenShift Enterprise Life Cycle:
https://access.redhat.com/site/support/policy/updates/openshift.
Comment 31 Kurt Seifried 2014-09-18 16:34:29 EDT
SAM-1 uses rubygems as a dependency and does not directly download or install additional ruby gems once installed.

Note You need to log in before you can comment on or make changes to this bug.