author | April Chin <april.chin@oracle.com> |
Tue, 26 Nov 2013 14:09:46 -0800 | |
branch | s11u1-sru |
changeset 2834 | d69aa373f992 |
permissions | -rw-r--r-- |
2834
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
1 |
Fix for the following two CVE issues: |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
2 |
|
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
3 |
CVE-2013-4287 |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
4 |
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
5 |
lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
6 |
2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
7 |
2.0.0p247, allows remote attackers to cause a denial of service (CPU |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
8 |
consumption) via a crafted gem version that triggers a large amount of |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
9 |
backtracking in a regular expression. |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
10 |
|
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
11 |
CVE-2013-4363 |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
12 |
Algorithmic complexity vulnerability in |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
13 |
Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
14 |
before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
15 |
2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
16 |
cause a denial of service (CPU consumption) via a crafted gem version that |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
17 |
triggers a large amount of backtracking in a regular expression. NOTE: this |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
18 |
issue is due to an incomplete fix for CVE-2013-4287. |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
19 |
|
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
20 |
The fixes come from |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
21 |
http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4287_txt.html |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
22 |
and |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
23 |
http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4363_txt.html |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
24 |
|
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
25 |
--- rubygems-1.3.5-orig//lib/rubygems/version.rb Mon Jun 22 15:54:36 2009 |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
26 |
+++ rubygems-1.3.5/lib/rubygems/version.rb Thu Oct 24 16:02:38 2013 |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
27 |
@@ -69,12 +69,12 @@ |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
28 |
|
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
29 |
include Comparable |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
30 |
|
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
31 |
- VERSION_PATTERN = '[0-9]+(\.[0-9a-z]+)*' |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
32 |
+ VERSION_PATTERN = '[0-9]+(?>\.[0-9a-z]+)*' |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
33 |
|
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
34 |
attr_reader :version |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
35 |
|
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
36 |
def self.correct?(version) |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
37 |
- pattern = /\A\s*(#{VERSION_PATTERN})*\s*\z/ |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
38 |
+ pattern = /\A\s*(#{VERSION_PATTERN})?\s*\z/ |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
39 |
|
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
40 |
version.is_a? Integer or |
d69aa373f992
17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
41 |
version =~ pattern or |