oss-sec mailing list archives
Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 16 Sep 2013 19:28:03 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/14/2013 03:11 PM, Alexander Cherepanov wrote:
On 2013-09-10 09:32, Eric Hodel wrote:The vulnerability can be fixed by changing the first grouping to an atomic grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb. For RubyGems 2.0.x: - VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc: + VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc: For RubyGems 1.8.x: - VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc: + VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:This is not enough. The following script: # Regexes are from https://github.com/rubygems/rubygems/blob/master/lib/rubygems/version.rb#L150
VERSION_PATTERN =
'[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc: ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc: '1111111111111111111111111111.' =~ ANCHORED_VERSION_PATTERN takes ~1m on my machine. The problem is not in VERSION_PATTERN but in its possible repetition inside ANCHORED_VERSION_PATTERN.
Great, I guess we're going to need a new CVE. Before I assign one can we make sure we fix this so more fiddly expressions don't cause problems? Thanks. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSN7AjAAoJEBYNRVNeJnmT364QANqrjzrwEwdP3gJvjNY2e8j6 /uSyVCeka3ipjvDnq/JMOVNMRmOuic54BXcJKxPaVhTSs1F6qn1yhz5loFbN7Iy7 ra6J+VUGIPiRVJmNHZy5h6vXeugyhT72/WAUxOLHzpByZIswACIWU//+K4Wq3Tuq n6sFffsSyL4sVFul37wc9uKP3moP45tAd/VRoX2Puj7srfuTJ3NrmS4PhaMsgI60 t1bh7I46IBxMjb0xLEDtw5EDe014hcN2MDfyPuvs8CYKDUPnYT37mauS7YjHyXO2 /A6HvcI0oOIHrWqZD43gsf+mtWyEAmLvU0M+2mlFEnvAYRDXKHX5YWUwdRTgsQgd DOOmxktlFrwUxvcga/YiYzjxydg64x35II9C/ueVr8SWX9NYuKDCSZejXt/9wkQZ Ajmkvzdx7vpRVcCgxhyf0Qs0gcSp2t0KBidh/HKdmCeLW7iyEL2W4MChK6UOSZk/ pNEFnGx4/3Le+MhU8a2vcSfMGXOjYNefsSTWUJl3AbcrJcWNFjGElCH4rjBZydwm PGEM38TOVHdeodQTCW0TIGNMhp/sNBR3J8wkh8Pv59xUD6X54JQf3C8NnIBQJ9yX nRxy9lVmPn6WxbQtsiS44N14a3yqvy5jsqTKuafFj6SdmvrdG0Fblb0C9dvLGzx9 9GXwOmzhTqeVEOi2InYg =tciT -----END PGP SIGNATURE-----
Current thread:
- CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Eric Hodel (Sep 09)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Alexander Cherepanov (Sep 14)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Kurt Seifried (Sep 16)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Eric Hodel (Sep 17)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Kurt Seifried (Sep 18)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Alexander Cherepanov (Sep 18)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Eric Hodel (Sep 18)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Eric Hodel (Sep 20)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Tomas Hoger (Sep 20)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Kurt Seifried (Sep 16)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Alexander Cherepanov (Sep 14)