Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 451620 - <dev-ruby/rack-{1.1.5,1.2.7,1.3.9,1.4.4} DoS leading to infinite loop (CVE-2012-6109,CVE-2013-{0183,0184})
Summary: <dev-ruby/rack-{1.1.5,1.2.7,1.3.9,1.4.4} DoS leading to infinite loop (CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://groups.google.com/forum/#!msg...
Whiteboard: B3 [glsa]
Keywords:
: CVE-2012-6109 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-01-13 09:20 UTC by Hans de Graaff
Modified: 2014-05-17 19:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2013-01-13 09:20:32 UTC
"What seems to happen is that when parsing a header like this

Content-Disposition: inline; name=xml_product_config;
filename=XML_PRODUCT_CONFIG.xml

the regexp in the get_filename method in parser.rb seems to get stuck
in an infinite loop on   the line with

if head =~ RFC2183 "
Comment 1 Hans de Graaff gentoo-dev Security 2013-01-13 10:00:27 UTC
The following versions of rack are now in the tree.

=dev-ruby/rack-1.1.4
=dev-ruby/rack-1.2.6
=dev-ruby/rack-1.4.3


rack 1.3.7 is still pending because it fails its tests: https://github.com/rack/rack/issues/493
Comment 2 Hans de Graaff gentoo-dev Security 2013-01-15 17:02:13 UTC
*** Bug 452198 has been marked as a duplicate of this bug. ***
Comment 3 Hans de Graaff gentoo-dev Security 2013-01-15 18:47:17 UTC
Fixed versions for all reported DoS issues are now in the tree:

=dev-ruby/rack-1.1.5
=dev-ruby/rack-1.2.7
=dev-ruby/rack-1.3.9
=dev-ruby/rack-1.4.4
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-15 20:27:39 UTC
(In reply to comment #3)
> Fixed versions for all reported DoS issues are now in the tree:
> 
> =dev-ruby/rack-1.1.5
> =dev-ruby/rack-1.2.7
> =dev-ruby/rack-1.3.9
> =dev-ruby/rack-1.4.4

Thanks. Arches, please test and mark stable.
Comment 5 Agostino Sarubbo gentoo-dev 2013-01-18 09:49:30 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-01-18 09:54:01 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-01-21 13:41:38 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-01-21 14:10:02 UTC
ppc stable
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-21 22:25:34 UTC
GLSA vote: yes.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:06:34 UTC
CVE-2013-0184 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0184):
  Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x
  before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4
  allows remote attackers to cause a denial of service via unknown vectors
  related to "symbolized arbitrary strings."

CVE-2013-0183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0183):
  multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows
  remote attackers to cause a denial of service (memory consumption and
  out-of-memory error) via a long string in a Multipart HTTP packet.

CVE-2012-6109 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6109):
  lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before
  1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which
  allows remote attackers to cause a denial of service (infinite loop) via a
  crafted Content-Disposion header.
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-19 18:41:51 UTC
Added to existing GLSA draft.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-05-17 19:04:03 UTC
This issue was resolved and addressed in
 GLSA 201405-10 at http://security.gentoo.org/glsa/glsa-201405-10.xml
by GLSA coordinator Sean Amoss (ackle).