oss-sec mailing list archives
Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older
From: Alexander Cherepanov <cherepan () mccme ru>
Date: Sun, 15 Sep 2013 01:11:24 +0400
On 2013-09-10 09:32, Eric Hodel wrote:
The vulnerability can be fixed by changing the first grouping to an atomic grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb. For RubyGems 2.0.x: - VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc: + VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc: For RubyGems 1.8.x: - VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc: + VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
This is not enough. The following script: # Regexes are from https://github.com/rubygems/rubygems/blob/master/lib/rubygems/version.rb#L150 VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc: ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc: '1111111111111111111111111111.' =~ ANCHORED_VERSION_PATTERN takes ~1m on my machine. The problem is not in VERSION_PATTERN but in its possible repetition inside ANCHORED_VERSION_PATTERN. -- Alexander Cherepanov
Current thread:
- CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Eric Hodel (Sep 09)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Alexander Cherepanov (Sep 14)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Kurt Seifried (Sep 16)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Eric Hodel (Sep 17)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Kurt Seifried (Sep 18)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Alexander Cherepanov (Sep 18)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Eric Hodel (Sep 18)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Eric Hodel (Sep 20)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Tomas Hoger (Sep 20)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Kurt Seifried (Sep 16)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Alexander Cherepanov (Sep 14)