oss-sec mailing list archives
Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older
From: Eric Hodel <drbrain () segment7 net>
Date: Wed, 18 Sep 2013 18:03:00 -0700
On Sep 18, 2013, at 15:05, Alexander Cherepanov <cherepan () mccme ru> wrote:
On 2013-09-18 04:11, Eric Hodel wrote:Here's a new patch to go with the new (unassigned) CVE. This new patch replaces regular expression matches that are susceptible to backtracking with a parser-like approach.According to your patch 'versions have only one "-" (per semver)'. This means that "*" after "(#{VERSION_PATTERN})" in ANCHORED_VERSION_PATTERN is a bug. It should be "?". If you fix it then there should be no problem with VERSION_PATTERN at all. AFAICT VERSION_PATTERN gives you a linear complexity. Hence there is no need to suppress backtracking…
Good catch, I think this is a bug, but I'll need to check with the person who added that.
This patch applies to RubyGems 2.1.x releases. I will create patches for RubyGems 1.8.23.1, 1.8.26, 2.0.9 and 2.1.4 if it there is no obvious flaw seen in it. I would like to release this fix by Monday, 23 September as I will be traveling mid-week. The vulnerable regular expression constants are still present, but I can't think of a way to construct them that does not allow backtracking....but if you really want to suppress backtracking (say, for optimization) it is easy: either atomic grouping for every repetition (exactly the way you have already done but for other repetitions also) or add extra "+" after each "+" and "*". That's according to http://www.ruby-doc.org/core-2.0.0/Regexp.html .
Thank you. I glossed over the * in ANCHORED_VERSION_PATTERN, and this fixes the problem with minimal change (something I would prefer for a security fix). Here is a complete updated patch including the backtracking and extra "-" fixes:
Attachment:
CVE-2013-XXXX.2.patch
Description:
The same script as my previous message can be used to verify it.
Current thread:
- CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Eric Hodel (Sep 09)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Alexander Cherepanov (Sep 14)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Kurt Seifried (Sep 16)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Eric Hodel (Sep 17)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Kurt Seifried (Sep 18)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Alexander Cherepanov (Sep 18)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Eric Hodel (Sep 18)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Eric Hodel (Sep 20)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Tomas Hoger (Sep 20)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Kurt Seifried (Sep 16)
- Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older Alexander Cherepanov (Sep 14)