oss-sec mailing list archives
Re: CVE Request: bson-ruby DoS and possible injection
From: cve-assign () mitre org
Date: Sat, 6 Jun 2015 12:03:50 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
As far as we can tell, this requires three CVE IDs because there were three independent mistakes. CVE-2015-4410 is for original 2012-01-23 implementation of legal? using the ^[0-9a-f]{24}$ regular expression. CVE-2015-4411 is for the bernerdschaefer 2012-04-17 commit in which legal? began using the \A\h{24}\Z regular expression. The mongo_ruby_regexp.html blog post describes this as "proper" but later explains that it was problematic, in at least one context, because of a minor DoS that would have been avoided if the correct \A\h{24}\z (lowercase 'z') had been used instead. CVE-2015-4412 is for the durran 2013-04-07 commit in which the \A\h{24}\Z regular expression was changed to the ^[0-9a-f]{24}$ regular expression. The copying of the original ^[0-9a-f]{24}$ mistake from Moped::BSON to one or more other codebases doesn't require additional CVE IDs. Similarly, the copying of the \A\h{24}\Z mistake or the second ^[0-9a-f]{24}$ mistake to one or more other codebases doesn't require additional CVE IDs. (It's quite possible that no such copying ever occurred.) The claim in http://homakov.blogspot.ru/2012/05/saferweb-injects-in-various-ruby.html of: Regexp are just like cars - they should work as same and similar as it's possible. Breaking standard behavior by purpose and telling people "It's not a bug, it's a feature" looks so disgusting to me. It's not a feature, it's a vulnerability. is not accepted as a Ruby vulnerability by the CVE project. There is no CVE ID for the observation that Ruby regular-expression semantics can be considered different from regular-expression semantics seen elsewhere. If there are other products (that otherwise qualify for CVE IDs) with incorrect and security-relevant uses of ^$ in Ruby code, then there can be additional CVE IDs for each independent codebase. For example, referring to the "Showcases time" section of the saferweb-injects-in-various-ruby.html page, there can't be a CVE ID for GitHub.com (because it could be site-specific code) but there could be a CVE ID if the issue affected a 2012 version (if one existed) of the GitHub Enterprise product. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVcxluAAoJEKllVAevmvmsrrcH/iywyYQPmcd+Bn6gkRKfxUsx 9TmAgV6lCztWgVR0kqTrBZC5GcACcZWV2jVEg/3RD3/fXH23ulqTvKZEZrbTVIHv mDMH5WId3gimyNdy2IkNZqsKeeJxNi6rtWyg+QLD8M1+fLW9vrmRPYKN7VPcHWZX ZTEauEFN0Gq+23hM01DUnXpnV1sErtGWceIXnvVKP1skyitgJYhz6SRmyL2+FQpc iUAqTJUMeUlEvM40WxQPbX2Q7PeH0dIoNN4UmC2VE/RmzysIDhtaZQwsaFcMDpA3 wS8Lva/Ici4klxNUxdZsMEKxg1V7y1djlvRDbUlVpqHvrMZbTTkJraf8cbbZJik= =o3AI -----END PGP SIGNATURE-----
Current thread:
- CVE Request: bson-ruby DoS and possible injection Phill MV (Jun 05)
- Re: CVE Request: bson-ruby DoS and possible injection cve-assign (Jun 06)