Aaron Patterson reports: Possible DoS Vulnerability in Action Mailer There is a possible DoS vulnerability in the log subscriber component of Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2013-4389. Versions Affected: 3.x.x Not affected: 4.0.x, 2.3.x Fixed Versions: 3.2.15 Impact ------ A carefully crafted email address in conjunction with the Action Mailer logger format string could possibly lead to a denial of service attack. All users running an affected release should either upgrade or use one of the work arounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- If you can't upgrade or apply patch to your system, you can work around the issue by using the following monkey patch after requiring Action Mailer: ```ruby module ActionMailer class LogSubscriber < ActiveSupport::LogSubscriber def deliver(event) recipients = Array.wrap(event.payload[:to]).join(', ') info("\nSent mail to #{recipients} (#{event.duration.round(1)}ms)") debug(event.payload[:mail]) end end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 3-2-log-subscriber.patch - Patch for 3.2 series * 3-1-log-subscriber.patch - Patch for 3.1 series * 3-0-log-subscriber.patch - Patch for 3.0 series Please note that only the 4.0.x, 3.2.x, and 2.3.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Aaron Neyer for reporting this vulnerability!
Acknowledgements: Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Aaron Neyer as the original reporter.
Created attachment 812644 [details] 3-0-log-subscriber-CVE-2013-4389.patch
Created attachment 812645 [details] 3-1-log-subscriber-CVE-2013-4389.patch
Created attachment 812646 [details] 3-2-log-subscriber-CVE-2013-4389.patch
Created rubygem-actionmailer tracking bugs for this issue: Affects: fedora-all [bug 1035153]
rubygem-actionmailer-3.2.13-2.fc19, rubygem-actionpack-3.2.13-4.fc19, rubygem-activesupport-3.2.13-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue did not affect the versions of rubygem-actionmailer as shipped with Red Hat Subscription Asset Manager 1 as they do not include support for sending email using user supplied addresses.