Bug 1009720 (CVE-2013-4363) - CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
Summary: CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, i...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-4363
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1002838 1002839 1002841 1002842 1002843 1002845 1002847 1002848 1005269 1006429 1006440 1012267 1012780 1012789
Blocks: 1002366
TreeView+ depends on / blocked
 
Reported: 2013-09-19 01:48 UTC by Kurt Seifried
Modified: 2021-02-17 07:20 UTC (History)
52 users (show)

Fixed In Version: rubygems 2.1.5, rubygems 2.0.10, rubygems 1.8.27, rubygems 1.8.23.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-02 08:38:00 UTC
Embargoed:


Attachments (Terms of Use)

Description Kurt Seifried 2013-09-19 01:48:48 UTC
RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to a backtracking regular expression.  For specially
crafted RubyGems versions attackers can cause denial of service through CPU
consumption.

An initial attempt to fix this (CVE-2013-4287) was made however the regex used 
was found to be insufficient and still allowed for a denial of service to occur. 

http://seclists.org/oss-sec/2013/q3/605
http://seclists.org/oss-sec/2013/q3/631

Comment 1 Tomas Hoger 2013-09-25 07:49:51 UTC
CVE-2013-4287 is tracked via bug 1002364.

CVE-2013-4363 is now fixed upstream in versions: 2.1.5, 2.0.10, 1.8.27 and 1.8.23.2

External References:

http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html

Comment 5 Tomas Hoger 2013-10-02 08:38:00 UTC
This CVE was assigned for an incomplete fix for CVE-2013-4287.  Red Hat has not yet released rubygems packages updates fixing CVE-2013-4287 incompletely, therefore no Red Hat product is affected by this new CVE-2013-4363.  Future rubygems update addressing CVE-2013-4287 will contain complete fix.

Statement:

Not vulnerable. This issue did not affect the versions of rubygems as shipped with various Red Hat products.


Note You need to log in before you can comment on or make changes to this bug.