Fix for the following two CVE issues:
CVE-2013-4287
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in
lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25,
2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through
2.0.0p247, allows remote attackers to cause a denial of service (CPU
consumption) via a crafted gem version that triggers a large amount of
backtracking in a regular expression.
CVE-2013-4363
Algorithmic complexity vulnerability in
Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems
before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before
2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to
cause a denial of service (CPU consumption) via a crafted gem version that
triggers a large amount of backtracking in a regular expression. NOTE: this
issue is due to an incomplete fix for CVE-2013-4287.
The fixes come from
http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4287_txt.html
and
http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4363_txt.html
--- rubygems-1.3.5-orig//lib/rubygems/version.rb Mon Jun 22 15:54:36 2009
+++ rubygems-1.3.5/lib/rubygems/version.rb Thu Oct 24 16:02:38 2013
@@ -69,12 +69,12 @@
include Comparable
- VERSION_PATTERN = '[0-9]+(\.[0-9a-z]+)*'
+ VERSION_PATTERN = '[0-9]+(?>\.[0-9a-z]+)*'
attr_reader :version
def self.correct?(version)
- pattern = /\A\s*(#{VERSION_PATTERN})*\s*\z/
+ pattern = /\A\s*(#{VERSION_PATTERN})?\s*\z/
version.is_a? Integer or
version =~ pattern or