837457 – (CVE-2013-4287) VUL-0: CVE-2013-4287 CVE-2013-4363: ruby19: Algorithmic complexity vulnerability

Bug 837457 (CVE-2013-4287) - VUL-0: CVE-2013-4287 CVE-2013-4363: ruby19: Algorithmic complexity vulnerability

Summary: VUL-0: CVE-2013-4287 CVE-2013-4363: ruby19: Algorithmic complexity vulnerability

Status:	RESOLVED FIXED

Alias:	CVE-2013-4287

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2013-10-18
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp2:54791
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-08-29 08:08 UTC by Alexander Bergmann
Modified:	2013-12-04 16:55 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
New fix coming with comment 6. (4.60 KB, patch) 2013-09-18 07:41 UTC, Alexander Bergmann	Details \| Diff
Ruby test script for patch in comment 7. (471 bytes, patch) 2013-09-18 07:42 UTC, Alexander Bergmann	Details \| Diff
complete updated patch including the backtracking and extra "-" fixes (2.35 KB, patch) 2013-09-19 12:07 UTC, Alexander Bergmann	Details \| Diff
CVE-2013-XXXX.master.patch CVE-2013-XXXX.2.0.patch CVE-2013-XXXX.1.8.patch (1.71 KB, application/x-bzip2) 2013-09-20 09:02 UTC, Alexander Bergmann	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 3 Swamp Workflow Management 2013-08-29 22:00:27 UTC

bugbot adjusting priority

Comment 4 Alexander Bergmann 2013-09-11 09:28:45 UTC

Public now via oss-security:

Date: Mon, 9 Sep 2013 22:32:25 -0700
From: Eric Hodel
Subject: [oss-security] CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older

RubyGems validates versions with a regular expression that is vulnerable to denial of service due to backtracking. For specially crafted RubyGems versions attackers can cause denial of service through CPU consumption.

RubyGems versions 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2 are vulnerable.

Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded versions of RubyGems.

It does not appear to be possible to exploit this vulnerability by installing a gem for RubyGems 1.8.x or 2.0.x. Vulnerable uses of RubyGems API include packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask), sending user input to Gem::Version.new, Gem::Version.correct? or use of the Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
constants.

Notably, users of bundler that install gems from git are vulnerable if a malicious author changes the gemspec to an invalid version.

The vulnerability can be fixed by changing the first grouping to an atomic grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb. For RubyGems 2.0.x:

  -  VERSION_PATTERN =3D =
'[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
  +  VERSION_PATTERN =3D =
'[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:

For RubyGems 1.8.x:

  -  VERSION_PATTERN =3D '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
  +  VERSION_PATTERN =3D '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:

This vulnerability was discovered by Damir Sharipov <dammer2k@gmail.com>

The above information is also posted at:

http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html

Patches were committed for:

RubyGems 2.1.0.rc.2, released as RubyGems 2.1.0:

https://github.com/rubygems/rubygems/commit/938a7e31ac73655845ab9045629ff3=
f580a125da

RubyGems 2.0.7, released as RubyGems 2.0.8:

https://github.com/rubygems/rubygems/commit/b9baec03145aed684d1cd3c87dcac3=
cc06becd9b

RubyGems 1.8.25, released as RubyGems 1.8.26:

https://github.com/rubygems/rubygems/commit/ed733bc379d75620f5be4213f89d1d=
7b38be3191

RubyGems 1.8.23, released as RubyGems 1.8.23.1:

https://github.com/rubygems/rubygems/commit/b697536f2455e8c8853cf5cf8a1017=
a36031ed67

The following program can be used to test if you are vulnerable to =
CVE-2013-4287:

--Apple-Mail=_4D93AB8B-3874-48A5-980C-D16398F3A7B0
Content-Disposition: attachment;
        filename=check.CVE-2013-4287.rb
Content-Type: text/x-ruby-script;
        name="check.CVE-2013-4287.rb"
Content-Transfer-Encoding: 7bit

require 'benchmark'
require 'rubygems'

valid = Benchmark.measure do
  Gem::Version.new '1.22.333.4444.55555.666666.7777777'
end

puts 'Valid version time:'
puts valid

invalid = Benchmark.measure do
  begin
    Gem::Version.new '1.22.333.4444.55555.666666.7777777.'
  rescue
  end
end

puts 'Invalid version time:'
puts invalid

n = (valid.real - invalid.real).abs

if 0.1 < n then
  puts 'You are vulnerable to CVE-2013-4287.'
else
  puts 'You are NOT vulnerable to CVE-2013-4287.'
end

Comment 5 Alexander Bergmann 2013-09-16 09:11:56 UTC

Comment via oss-security.

Date: Sun, 15 Sep 2013 01:11:24 +0400
From: Alexander Cherepanov
Subject: Re: [oss-security] CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older

On 2013-09-10 09:32, Eric Hodel wrote:
> The vulnerability can be fixed by changing the first grouping to an atomic
> grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb.  For
> RubyGems 2.0.x:
> 
>   -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
>   +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
> 
> For RubyGems 1.8.x:
> 
>   -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
>   +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:

This is not enough. The following script:

  # Regexes are from
https://github.com/rubygems/rubygems/blob/master/lib/rubygems/version.rb#L150
  VERSION_PATTERN =
'[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
  '1111111111111111111111111111.' =~ ANCHORED_VERSION_PATTERN

takes ~1m on my machine. The problem is not in VERSION_PATTERN but in
its possible repetition inside ANCHORED_VERSION_PATTERN.

Comment 6 Alexander Bergmann 2013-09-18 07:39:37 UTC

Via oss-security:

Date: Tue, 17 Sep 2013 17:11:00 -0700
From: Eric Hodel
Subject: Re: [oss-security] CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older

> Great, I guess we're going to need a new CVE. Before I assign one can
> we make sure we fix this so more fiddly expressions don't cause
> problems? Thanks.

Here's a new patch to go with the new (unassigned) CVE.  This new patch
replaces regular expression matches that are susceptible to backtracking
with a parser-like approach.

Comment 7 Alexander Bergmann 2013-09-18 07:41:38 UTC

Created attachment 558802 [details]
New fix coming with comment 6.

Comment 8 Alexander Bergmann 2013-09-18 07:42:34 UTC

Created attachment 558803 [details]
Ruby test script for patch in comment 7.

Comment 9 Alexander Bergmann 2013-09-19 12:04:58 UTC

A second CVE as assigned to this issue (incomplete fix for CVE-2013-4287).

CVE-2013-4363

Comment 10 Alexander Bergmann 2013-09-19 12:07:59 UTC

Created attachment 559043 [details]
complete updated patch including the backtracking and extra "-" fixes

Comment 11 Alexander Bergmann 2013-09-20 09:02:09 UTC

Created attachment 559193 [details]
CVE-2013-XXXX.master.patch CVE-2013-XXXX.2.0.patch CVE-2013-XXXX.1.8.patch

Via oss-security.

Date: Fri, 20 Sep 2013 00:13:58 -0700 
From: Eric Hodel
Subject: Re: [oss-security] CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older

Comment 12 Swamp Workflow Management 2013-10-04 10:05:42 UTC

The SWAMPID for this issue is 54669.
This issue was rated as moderate.
Please submit fixed packages until 2013-10-18.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 13 Marcus Meissner 2013-10-04 10:07:07 UTC

should be in current ruby19 update too

Comment 16 Bernhard Wiedemann 2013-10-21 12:00:24 UTC

This is an autogenerated message for OBS integration:
This bug (837457) was mentioned in
https://build.opensuse.org/request/show/204130 12.2 / ruby19
https://build.opensuse.org/request/show/204131 12.3 / ruby19

Comment 17 Swamp Workflow Management 2013-10-30 10:05:48 UTC

openSUSE-SU-2013:1611-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 837457,843686
CVE References: CVE-2013-2065,CVE-2013-4287,CVE-2013-4363
Sources used:
openSUSE 12.3 (src):    ruby19-1.9.3.p392-1.13.1
openSUSE 12.2 (src):    ruby19-1.9.3.p392-3.30.1

Comment 18 Swamp Workflow Management 2013-11-12 14:56:59 UTC

Update released for: ruby19, ruby19-debuginfo, ruby19-debugsource, ruby19-devel, ruby19-devel-extra, ruby19-doc-ri, ruby19-tk
Products:
SLE-STUDIOONSITE 1.3 (x86_64)