oss-security - Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <5234D0FC.1050907@mccme.ru>
Date: Sun, 15 Sep 2013 01:11:24 +0400
From: Alexander Cherepanov <cherepan@...me.ru>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2013-4287 Algorithmic complexity vulnerability
 in RubyGems 2.0.7 and older

On 2013-09-10 09:32, Eric Hodel wrote:
> The vulnerability can be fixed by changing the first grouping to an atomic
> grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb.  For
> RubyGems 2.0.x:
> 
>   -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
>   +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
> 
> For RubyGems 1.8.x:
> 
>   -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
>   +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:

This is not enough. The following script:

  # Regexes are from
https://github.com/rubygems/rubygems/blob/master/lib/rubygems/version.rb#L150
  VERSION_PATTERN =
'[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
  '1111111111111111111111111111.' =~ ANCHORED_VERSION_PATTERN

takes ~1m on my machine. The problem is not in VERSION_PATTERN but in
its possible repetition inside ANCHORED_VERSION_PATTERN.

-- 
Alexander Cherepanov

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.