RubyGems validates versions with a regular expression that is vulnerable to denial of service due to a backtracking regular expression. For specially crafted RubyGems versions attackers can cause denial of service through CPU consumption. An initial attempt to fix this (CVE-2013-4287) was made however the regex used was found to be insufficient and still allowed for a denial of service to occur. http://seclists.org/oss-sec/2013/q3/605 http://seclists.org/oss-sec/2013/q3/631
CVE-2013-4287 is tracked via bug 1002364. CVE-2013-4363 is now fixed upstream in versions: 2.1.5, 2.0.10, 1.8.27 and 1.8.23.2 External References: http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html
Upstream commit links: Patch for RubyGems 2.1.x https://github.com/rubygems/rubygems/commit/dca0500bb24c7cba5551468a1ed28388876aded2 Patch for RubyGems 2.0.x https://github.com/rubygems/rubygems/commit/20325c134b5ca1928a15338eeb7ead1239dbf2b9 Patch for RubyGems 1.8.x https://github.com/rubygems/rubygems/commit/f63bfbc5c7b5725def5fecd6518ce2aa49e12ecd Patch for RubyGems 1.8.23.1 https://github.com/rubygems/rubygems/commit/56d1f8c17bc81f0eb354d5099021c498a0be9b51
This CVE was assigned for an incomplete fix for CVE-2013-4287. Red Hat has not yet released rubygems packages updates fixing CVE-2013-4287 incompletely, therefore no Red Hat product is affected by this new CVE-2013-4363. Future rubygems update addressing CVE-2013-4287 will contain complete fix. Statement: Not vulnerable. This issue did not affect the versions of rubygems as shipped with various Red Hat products.