components/ruby/ruby-18/rubygems-patches/01-CVE-2013-4287-4363.patch
changeset 1567 b5493d203180
equal deleted inserted replaced
1566:d1c87d1ecd13 1567:b5493d203180
       
     1 Fix for the following two CVE issues:
       
     2 
       
     3 CVE-2013-4287 
       
     4 Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in 
       
     5 lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 
       
     6 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 
       
     7 2.0.0p247, allows remote attackers to cause a denial of service (CPU 
       
     8 consumption) via a crafted gem version that triggers a large amount of 
       
     9 backtracking in a regular expression. 
       
    10 
       
    11 CVE-2013-4363 
       
    12 Algorithmic complexity vulnerability in 
       
    13 Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems 
       
    14 before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 
       
    15 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to 
       
    16 cause a denial of service (CPU consumption) via a crafted gem version that 
       
    17 triggers a large amount of backtracking in a regular expression. NOTE: this 
       
    18 issue is due to an incomplete fix for CVE-2013-4287. 
       
    19 
       
    20 The fixes come from
       
    21 http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4287_txt.html 
       
    22 and 
       
    23 http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4363_txt.html 
       
    24 
       
    25 --- rubygems-1.3.5-orig//lib/rubygems/version.rb	Mon Jun 22 15:54:36 2009
       
    26 +++ rubygems-1.3.5/lib/rubygems/version.rb	Thu Oct 24 16:02:38 2013
       
    27 @@ -69,12 +69,12 @@
       
    28  
       
    29    include Comparable
       
    30  
       
    31 -  VERSION_PATTERN = '[0-9]+(\.[0-9a-z]+)*'
       
    32 +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-z]+)*'
       
    33  
       
    34    attr_reader :version
       
    35  
       
    36    def self.correct?(version)
       
    37 -    pattern = /\A\s*(#{VERSION_PATTERN})*\s*\z/
       
    38 +    pattern = /\A\s*(#{VERSION_PATTERN})?\s*\z/
       
    39  
       
    40      version.is_a? Integer or
       
    41        version =~ pattern or