oss-security - Re: CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <5237B023.2000202@redhat.com>
Date: Mon, 16 Sep 2013 19:28:03 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Alexander Cherepanov <cherepan@...me.ru>, dammer2k@...il.com,
        drbrain@...ment7.net
Subject: Re: CVE-2013-4287 Algorithmic complexity vulnerability
 in RubyGems 2.0.7 and older

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/14/2013 03:11 PM, Alexander Cherepanov wrote:
> On 2013-09-10 09:32, Eric Hodel wrote:
>> The vulnerability can be fixed by changing the first grouping to
>> an atomic grouping in Gem::Version::VERSION_PATTERN in
>> lib/rubygems/version.rb.  For RubyGems 2.0.x:
>> 
>> -  VERSION_PATTERN =
>> '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' #
>> :nodoc: +  VERSION_PATTERN =
>> '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' #
>> :nodoc:
>> 
>> For RubyGems 1.8.x:
>> 
>> -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc: +
>> VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
> 
> This is not enough. The following script:
> 
> # Regexes are from 
> https://github.com/rubygems/rubygems/blob/master/lib/rubygems/version.rb#L150
>
> 
VERSION_PATTERN =
> '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' #
> :nodoc: ANCHORED_VERSION_PATTERN =
> /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc: 
> '1111111111111111111111111111.' =~ ANCHORED_VERSION_PATTERN
> 
> takes ~1m on my machine. The problem is not in VERSION_PATTERN but
> in its possible repetition inside ANCHORED_VERSION_PATTERN.
> 

Great, I guess we're going to need a new CVE. Before I assign one can
we make sure we fix this so more fiddly expressions don't cause
problems? Thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSN7AjAAoJEBYNRVNeJnmT364QANqrjzrwEwdP3gJvjNY2e8j6
/uSyVCeka3ipjvDnq/JMOVNMRmOuic54BXcJKxPaVhTSs1F6qn1yhz5loFbN7Iy7
ra6J+VUGIPiRVJmNHZy5h6vXeugyhT72/WAUxOLHzpByZIswACIWU//+K4Wq3Tuq
n6sFffsSyL4sVFul37wc9uKP3moP45tAd/VRoX2Puj7srfuTJ3NrmS4PhaMsgI60
t1bh7I46IBxMjb0xLEDtw5EDe014hcN2MDfyPuvs8CYKDUPnYT37mauS7YjHyXO2
/A6HvcI0oOIHrWqZD43gsf+mtWyEAmLvU0M+2mlFEnvAYRDXKHX5YWUwdRTgsQgd
DOOmxktlFrwUxvcga/YiYzjxydg64x35II9C/ueVr8SWX9NYuKDCSZejXt/9wkQZ
Ajmkvzdx7vpRVcCgxhyf0Qs0gcSp2t0KBidh/HKdmCeLW7iyEL2W4MChK6UOSZk/
pNEFnGx4/3Le+MhU8a2vcSfMGXOjYNefsSTWUJl3AbcrJcWNFjGElCH4rjBZydwm
PGEM38TOVHdeodQTCW0TIGNMhp/sNBR3J8wkh8Pv59xUD6X54JQf3C8NnIBQJ9yX
nRxy9lVmPn6WxbQtsiS44N14a3yqvy5jsqTKuafFj6SdmvrdG0Fblb0C9dvLGzx9
9GXwOmzhTqeVEOi2InYg
=tciT
-----END PGP SIGNATURE-----

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.