Re: CVE Request: bson-ruby DoS and possible injection

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html

As far as we can tell, this requires three CVE IDs because there were
three independent mistakes.

CVE-2015-4410 is for original 2012-01-23 implementation of legal?
using the ^[0-9a-f]{24}$ regular expression.

CVE-2015-4411 is for the bernerdschaefer 2012-04-17 commit in which
legal? began using the \A\h{24}\Z regular expression. The
mongo_ruby_regexp.html blog post describes this as "proper" but later
explains that it was problematic, in at least one context, because of
a minor DoS that would have been avoided if the correct \A\h{24}\z
(lowercase 'z') had been used instead.

CVE-2015-4412 is for the durran 2013-04-07 commit in which the
\A\h{24}\Z regular expression was changed to the ^[0-9a-f]{24}$
regular expression.

The copying of the original ^[0-9a-f]{24}$ mistake from Moped::BSON to
one or more other codebases doesn't require additional CVE IDs.

Similarly, the copying of the \A\h{24}\Z mistake or the second
^[0-9a-f]{24}$ mistake to one or more other codebases doesn't require
additional CVE IDs. (It's quite possible that no such copying ever
occurred.)

The claim in
http://homakov.blogspot.ru/2012/05/saferweb-injects-in-various-ruby.html
of:

  Regexp are just like cars - they should work as same and similar as
  it's possible. Breaking standard behavior by purpose and telling
  people "It's not a bug, it's a feature" looks so disgusting to me.
  It's not a feature, it's a vulnerability.

is not accepted as a Ruby vulnerability by the CVE project. There is
no CVE ID for the observation that Ruby regular-expression semantics
can be considered different from regular-expression semantics seen
elsewhere.

If there are other products (that otherwise qualify for CVE IDs) with
incorrect and security-relevant uses of ^$ in Ruby code, then there
can be additional CVE IDs for each independent codebase. For example,
referring to the "Showcases time" section of the
saferweb-injects-in-various-ruby.html page, there can't be a CVE ID
for GitHub.com (because it could be site-specific code) but there
could be a CVE ID if the issue affected a 2012 version (if one
existed) of the GitHub Enterprise product.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVcxluAAoJEKllVAevmvmsrrcH/iywyYQPmcd+Bn6gkRKfxUsx
9TmAgV6lCztWgVR0kqTrBZC5GcACcZWV2jVEg/3RD3/fXH23ulqTvKZEZrbTVIHv
mDMH5WId3gimyNdy2IkNZqsKeeJxNi6rtWyg+QLD8M1+fLW9vrmRPYKN7VPcHWZX
ZTEauEFN0Gq+23hM01DUnXpnV1sErtGWceIXnvVKP1skyitgJYhz6SRmyL2+FQpc
iUAqTJUMeUlEvM40WxQPbX2Q7PeH0dIoNN4UmC2VE/RmzysIDhtaZQwsaFcMDpA3
wS8Lva/Ici4klxNUxdZsMEKxg1V7y1djlvRDbUlVpqHvrMZbTTkJraf8cbbZJik=
=o3AI
-----END PGP SIGNATURE-----