Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 18 Feb 2014 11:06:58 -0800
From: Aaron Patterson <tenderlove@...y-lang.org>
To: rubyonrails-security@...glegroups.com, oss-security@...ts.openwall.com,
	secalert@...hat.com
Subject: Denial of Service Vulnerability in Action View when using render
 :text (CVE-2014-0082)

Denial of Service Vulnerability in Action View when using render :text

There is a denial of service vulnerability in the text rendering component of
Action View. This vulnerability has been assigned the CVE identifier
CVE-2014-0082.

Versions Affected: 3.0.x, 3.1.x, 3.2.x
Not affected: 4.0.x
Fixed Versions: 3.2.17

Impact
------

Strings sent in specially crafted headers will be converted to symbols. This can
cause a denial of service since symbols are not removed by the garbage collector.
All users running an affected release should either upgrade or use one of the work
arounds immediately.

Releases
--------

The FIXED releases are available at the normal locations.

Workarounds
-----------

Users who cannot upgrade may apply this monkey patch as an initializer to work around
the issue:

```
ActiveSupport.on_load(:action_view) do
  ActionView::Template::Text.class_eval do
    def formats
      [@...e_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s]
    end
  end
end
```

Patches
-------

To aid users who aren't able to upgrade immediately we have provided patches for the
supported release series. They are in git-am format and consist of a single changeset.

 * 3-2-render_text_dos.patch - Patch for 3.2 series
 * 3-1-render_text_dos.patch - Patch for 3.1 series
 * 3-0-render_text_dos.patch - Patch for 3.0 series

Please note that only the 4.0.x and 3.2.x series are supported at present. Users of
earlier unsupported releases are advised to upgrade as soon as possible as we cannot
guarantee the continued availability of security fixes for unsupported releases.

Credits
-------

Thanks to Toby Hsieh of SlideShare for reporting the issue to us and working in
the patch with us.

-- 
Aaron Patterson
http://tenderlovemaking.com/

From 78a465dd70ee8968ca4538820f45c049b3ea009f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafaelmfranca@...il.com>
Date: Tue, 11 Feb 2014 23:12:15 -0200
Subject: [PATCH] Use the reference for the mime type to get the format

Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082
---
 actionpack/lib/action_view/template/text.rb |  2 +-
 actionpack/test/template/text_test.rb       | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 actionpack/test/template/text_test.rb

diff --git a/actionpack/lib/action_view/template/text.rb b/actionpack/lib/action_view/template/text.rb
index 51be831..12c9ed9 100644
--- a/actionpack/lib/action_view/template/text.rb
+++ b/actionpack/lib/action_view/template/text.rb
@@ -23,7 +23,7 @@ module ActionView #:nodoc:
       end
 
       def formats
-        [@...e_type.to_sym]
+        [@...e_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s]
       end
 
       def partial?
diff --git a/actionpack/test/template/text_test.rb b/actionpack/test/template/text_test.rb
new file mode 100644
index 0000000..d899d54
--- /dev/null
+++ b/actionpack/test/template/text_test.rb
@@ -0,0 +1,17 @@
+require 'abstract_unit'
+
+class TextTest < ActiveSupport::TestCase
+  test 'formats returns symbol for recognized MIME type' do
+    assert_equal [:text], ActionView::Template::Text.new('', :text).formats
+  end
+
+  test 'formats returns string for recognized MIME type when MIME does not have symbol' do
+    foo = Mime::Type.lookup("foo")
+    assert_nil foo.to_sym
+    assert_equal ['foo'], ActionView::Template::Text.new('', foo).formats
+  end
+
+  test 'formats returns string for unknown MIME type' do
+    assert_equal ['foo'], ActionView::Template::Text.new('', 'foo').formats
+  end
+end
-- 
1.8.4.3


From bd06f51f331cee97aafbd8af9019acec7728556f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafaelmfranca@...il.com>
Date: Tue, 11 Feb 2014 22:56:50 -0200
Subject: [PATCH] Use the reference for the mime type to get the format

Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082
---
 actionpack/lib/action_view/template/text.rb |  2 +-
 actionpack/test/template/text_test.rb       | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 actionpack/test/template/text_test.rb

diff --git a/actionpack/lib/action_view/template/text.rb b/actionpack/lib/action_view/template/text.rb
index 4261c3b..d90e43b 100644
--- a/actionpack/lib/action_view/template/text.rb
+++ b/actionpack/lib/action_view/template/text.rb
@@ -23,7 +23,7 @@ module ActionView #:nodoc:
       end
 
       def formats
-        [@...e_type.to_sym]
+        [@...e_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s]
       end
     end
   end
diff --git a/actionpack/test/template/text_test.rb b/actionpack/test/template/text_test.rb
new file mode 100644
index 0000000..d899d54
--- /dev/null
+++ b/actionpack/test/template/text_test.rb
@@ -0,0 +1,17 @@
+require 'abstract_unit'
+
+class TextTest < ActiveSupport::TestCase
+  test 'formats returns symbol for recognized MIME type' do
+    assert_equal [:text], ActionView::Template::Text.new('', :text).formats
+  end
+
+  test 'formats returns string for recognized MIME type when MIME does not have symbol' do
+    foo = Mime::Type.lookup("foo")
+    assert_nil foo.to_sym
+    assert_equal ['foo'], ActionView::Template::Text.new('', foo).formats
+  end
+
+  test 'formats returns string for unknown MIME type' do
+    assert_equal ['foo'], ActionView::Template::Text.new('', 'foo').formats
+  end
+end
-- 
1.8.4.3


From f103fe6031a1e36000d4dc430a3b130d381b2c0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafaelmfranca@...il.com>
Date: Tue, 11 Feb 2014 22:56:50 -0200
Subject: [PATCH] Use the reference for the mime type to get the format

Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082
---
 actionpack/lib/action_view/template/text.rb |  2 +-
 actionpack/test/template/text_test.rb       | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 actionpack/test/template/text_test.rb

diff --git a/actionpack/lib/action_view/template/text.rb b/actionpack/lib/action_view/template/text.rb
index 4261c3b..d90e43b 100644
--- a/actionpack/lib/action_view/template/text.rb
+++ b/actionpack/lib/action_view/template/text.rb
@@ -23,7 +23,7 @@ module ActionView #:nodoc:
       end
 
       def formats
-        [@...e_type.to_sym]
+        [@...e_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s]
       end
     end
   end
diff --git a/actionpack/test/template/text_test.rb b/actionpack/test/template/text_test.rb
new file mode 100644
index 0000000..d899d54
--- /dev/null
+++ b/actionpack/test/template/text_test.rb
@@ -0,0 +1,17 @@
+require 'abstract_unit'
+
+class TextTest < ActiveSupport::TestCase
+  test 'formats returns symbol for recognized MIME type' do
+    assert_equal [:text], ActionView::Template::Text.new('', :text).formats
+  end
+
+  test 'formats returns string for recognized MIME type when MIME does not have symbol' do
+    foo = Mime::Type.lookup("foo")
+    assert_nil foo.to_sym
+    assert_equal ['foo'], ActionView::Template::Text.new('', foo).formats
+  end
+
+  test 'formats returns string for unknown MIME type' do
+    assert_equal ['foo'], ActionView::Template::Text.new('', 'foo').formats
+  end
+end
-- 
1.8.4.3



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ