Re: CVE request: 3 DoS conditions in Rake

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/14/2013 05:20 PM, Vincent Danen wrote:
> Three issues were noted in recent release of upstream Rake.  All
> are DoS issues.
>
> From https://bugzilla.redhat.com/show_bug.cgi?id=895277 (2
> issues):
>
> Upstream released [1] Rack 1.4.2, 1.3.7, 1.2.6, and 1.1.4 to fix a 
> denial of service condition when Rack parses content with a
> certain Content-Disposition header as noted in the original report
> [2].
>
> This has been fixed in git [3].

Please use CVE-2012-6109 for this issue (fixed in Rack 1.4.2 and so on)

> Additionally, a second flaw that was fixed in 1.4.4, 1.3.9, 1.2.7,
> and 1.1.5 was also announced [4] that creates a minor denial of
> service condition, this time in the Rack::Auth::AbstractRequest,
> where it symbolized arbitrary strings (apparently this has
> something to do with authentication, but there is no further
> information provided other than the fix [5] itself, which is noted
> as "a breaking API change").

Please use CVE-2013-0184 for this issue (fixed in Rack 1.4.4 and so on)

> [1] http://rack.github.com/ [2] 
> https://groups.google.com/forum/#!msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ
[3]
> https://github.com/rack/rack/commit/4fc44671b3cad569421f4f8b775c0590b86f575e
>
>  [4] 
> https://groups.google.com/forum/#!topic/rack-devel/ImYOqcGiksw/discussion
[5]
> https://github.com/rack/rack/commit/0c76175fcccad74ba2f991c487d3669c28a297c8


=====================

>
And from https://bugzilla.redhat.com/show_bug.cgi?id=895282:
> Upstream released [1] Rack 1.4.3 and 1.3.8 to fix a denial of
> service condition due to a malicious client sending excessively
> long lines that trigger an out-of-memory error in Rack.
>
> This has been fixed in git [2].

Please use CVE-2013-0183 for this issue (fixed in Rack 1.4.3 and so on)


> [1] 
> https://groups.google.com/forum/#!topic/rack-devel/-MWPHDeGWtI/discussion
[2]
> https://github.com/rack/rack/commit/f95113402b7239f225282806673e1b6424522b18

Please
>
use CVE-2012-6109 for this issue (fixed in Rack 1.4.2, released
in 2012 so 2012 CVE)



> Could three CVEs be assigned for these issues please?  Thanks.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ9LaMAAoJEBYNRVNeJnmTmV0P/ihQNH1ta7ju4e5QvkhV2AQT
k+AlM+tyrS8lIFQ5ywrydnKUPemm/LSh3mFyMnqG2JxYR4B9aooC86VBoR8il/wF
a3UJv4nlmqOCXY4v+px7YoCcsIUK5saf5NGTsdCG3oej+d2xgpiVdVvZoD9dx9Ih
RN42/KhPJzGE+s/Mi5DTz2IVVG/s1Egu7UlEM8ySwWyHCLQhIITccidR54dwbla5
ATOAx23WDeVTG35vvgMPXVZUgzHl6fg2n027ZTQrLABuYZ7dDKM5aspI1f2lLPoc
bli6bIveH2XPoMME+E39gYcWktF5E+Mocoks1QlAzULJOZiABZKj5lnVE41mbFOm
2oUljrZ0b2LWwXMAnfCW6xzWDUFmFiUe/Yu8AS/6X4uPSJ9Wrkq6arOjzm6sEEP+
7efhPvPnY/zPDzOJAAG+ggGvBxKd1iWWzimg1pMwrXyEuEwWSnxlfTguWGRqC1f0
CBFsLqdMUgY4+DxyJYhZCfnhYzUjve1fPBLm/U6ADDxvWliNVFyyW8QXAHNYOUG4
/3NIKWYhMt/9clV7DtdV38w5/sp+uHdooPAKhpv2ZZ7n/M1mEBlfjHoG0+OPfYVh
jJcxfaF08gM67XaT6poyRzsna7kTZbCmUotMFuPKfHxq/ikuKEF53NEG0ahFa4Kh
tucpKur4ikJaT5hMixng
=n42W
-----END PGP SIGNATURE-----