Bug 933961 (CVE-2015-4410) - VUL-1: CVE-2015-4410,CVE-2015-4411,CVE-2015-4412: rubygem-bson-1_11,rubygem-bson-1_9: DoS and possible injection
Summary: VUL-1: CVE-2015-4410,CVE-2015-4411,CVE-2015-4412: rubygem-bson-1_11,rubygem-b...
Status: RESOLVED FIXED
Alias: CVE-2015-4410
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Bernhard Wiedemann
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/117366/
Whiteboard: CVSSv2:RedHat:CVE-2015-4412:5.1:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-08 16:31 UTC by Marcus Meissner
Modified: 2017-08-10 14:36 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-06-08 16:31:15 UTC 
CVE-2015-4411

I am not fully sure this is rubygem-bson-* here.

http://seclists.org/oss-sec/2015/q2/651
 CVE Request: bson-ruby DoS and possible injection From: Phill MV <phillmv () state io>
Date: Fri, 5 Jun 2015 17:58:14 -0700

Hi,

Egor Homakov recently disclosed a vulnerability in the `bson` rubygem as
seen here: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html

Could we please get a CVE?

By submitting a specially crafted string to a service relying on the bson
rubygem, an attacker may trigger denials of service or even inject data
into victim's MongoDB instances.

Users are advised to update to versions >= 3.0.4 of the `bson` rubygem.
Relevant commits can be seen here:
https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7

Thanks!,
Comment 1 Marcus Meissner 2015-06-08 16:31:27 UTC 
 Re: CVE Request: bson-ruby DoS and possible injection From: cve-assign () mitre org
Date: Sat, 6 Jun 2015 12:03:50 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

    http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html


As far as we can tell, this requires three CVE IDs because there were
three independent mistakes.

CVE-2015-4410 is for original 2012-01-23 implementation of legal?
using the ^[0-9a-f]{24}$ regular expression.

CVE-2015-4411 is for the bernerdschaefer 2012-04-17 commit in which
legal? began using the \A\h{24}\Z regular expression. The
mongo_ruby_regexp.html blog post describes this as "proper" but later
explains that it was problematic, in at least one context, because of
a minor DoS that would have been avoided if the correct \A\h{24}\z
(lowercase 'z') had been used instead.

CVE-2015-4412 is for the durran 2013-04-07 commit in which the
\A\h{24}\Z regular expression was changed to the ^[0-9a-f]{24}$
regular expression.

The copying of the original ^[0-9a-f]{24}$ mistake from Moped::BSON to
one or more other codebases doesn't require additional CVE IDs.

Similarly, the copying of the \A\h{24}\Z mistake or the second
^[0-9a-f]{24}$ mistake to one or more other codebases doesn't require
additional CVE IDs. (It's quite possible that no such copying ever
occurred.)

The claim in
http://homakov.blogspot.ru/2012/05/saferweb-injects-in-various-ruby.html
of:

  Regexp are just like cars - they should work as same and similar as
  it's possible. Breaking standard behavior by purpose and telling
  people "It's not a bug, it's a feature" looks so disgusting to me.
  It's not a feature, it's a vulnerability.

is not accepted as a Ruby vulnerability by the CVE project. There is
no CVE ID for the observation that Ruby regular-expression semantics
can be considered different from regular-expression semantics seen
elsewhere.

If there are other products (that otherwise qualify for CVE IDs) with
incorrect and security-relevant uses of ^$ in Ruby code, then there
can be additional CVE IDs for each independent codebase. For example,
referring to the "Showcases time" section of the
saferweb-injects-in-various-ruby.html page, there can't be a CVE ID
for GitHub.com (because it could be site-specific code) but there
could be a CVE ID if the issue affected a 2012 version (if one
existed) of the GitHub Enterprise product.
Comment 2 Swamp Workflow Management 2015-06-08 22:01:51 UTC 
bugbot adjusting priority
Comment 3 Andreas Stieger 2015-07-03 14:56:25 UTC 
(In reply to Marcus Meissner from comment #0)
> CVE-2015-4411
> 
> I am not fully sure this is rubygem-bson-* here.

It is.

Confirmed rubygem-bson-1_9 is affected.
Confirmed rubygem-bson-1_11 is affected. (not used).

Cloud 4/5.
Comment 4 Vincent Untz 2015-10-23 11:31:10 UTC 
Bernhard: ping?
Comment 5 Bernhard Wiedemann 2016-01-18 12:12:28 UTC 
backported patch into Devel:Cloud:Shared:Rubygem rubygem-bson-1_11
but cannot get rubygem-bson-1_9 to build
because it lacks the %gem_unpack macro

and made
https://build.opensuse.org/request/show/354557
Comment 8 Swamp Workflow Management 2016-08-09 22:09:01 UTC 
SUSE-SU-2016:2019-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (low)
Bug References: 926328,933961,982364
CVE References: CVE-2015-4410
Sources used:
SUSE OpenStack Cloud 5 (src):    rubygem-bson-1_11-1.11.1-9.1, rubygem-easy_diff-0.0.5-9.1, rubygem-redcarpet-3.2.3-9.1, rubygem-sprockets-2_11-2.11.3-11.1
Comment 9 Johannes Segitz 2017-08-10 11:22:29 UTC 
fixed in current products