Bug 396301 (CVE-2011-4815)

Summary:	<dev-lang/ruby-1.8.7_p357, dev-lang/ruby-enterprise Hash collision DoS (CVE-2011-4815)
Product:	Gentoo Security	Reporter:	Hans de Graaff <graaff>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	artee, ruby
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.ruby-lang.org/en/news/2011/12/28/denial-of-service-attack-was-found-for-rubys-hash-algorithm/
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	396397

Description Hans de Graaff gentoo-dev

2011-12-28 13:50:09 UTC

"The situation is similar to the one found for Perl in 2003. In 1.8 series of Ruby, we use a deterministic hash function to hash a string. Here the "deterministic" means no other bits of information than the input string itself is involved to generate a hash value. So you can precalculate a string's hash value beforehand. By collecting a series of strings that have the identical hash value, an attacker can let ruby process collide bins of hash tables (including Hash class instances). Hash tables' amortized O(1) attribute depends on uniformity of distribution of hash values. By giving such crafted input, an attacker can let hash tables work much slower than expected (namely O(n2) to construct a n-elements table this case)."

ruby 1.9 is not affected.

It's likely that ruby-enterprise-edition is also affected, but that has not been confirmed.

Comment 1 Alex Legler (RETIRED) archtester

2011-12-28 14:26:24 UTC

ruby-enterprise uses the same code.

Comment 2 Hans de Graaff gentoo-dev

2011-12-28 14:37:45 UTC

I have a version of dev-lang/ruby-1.8.7_p357 locally that I will test first.

Comment 3 Alex Legler (RETIRED) archtester

2011-12-28 17:38:38 UTC

Arches, please test and mark stable:
=dev-lang/ruby-1.8.7_p357
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 4 teidakankan 2011-12-28 22:47:30 UTC

I needed this glibc patch to compile this on ~x86:

https://bugs.gentoo.org/show_bug.cgi?id=370413

Comment 5 Geoff Madden 2011-12-29 07:56:15 UTC

Hi I placed spanky's patch into /etc/portage/patches/sys-libs/glibc. Although the path is mentioned in /var/tmp/portage/sys-libs/glibc-2.14-r1,epatch_user.applied on checking the log file the 0068******* isn't mentioned at the top of the patches.
So my question is what did I miss doing,or should I read further down.
Geoff

Comment 6 Agostino Sarubbo gentoo-dev

2011-12-29 09:55:12 UTC

amd64 stable

Comment 7 Roman Porizka 2011-12-29 15:03:57 UTC

Could not compile ruby 1.8.7_p357, because of:


cp ../.././ext/dl/lib/dl/import.rb ../../.ext/common/dl
cp ../.././ext/dl/lib/dl/struct.rb ../../.ext/common/dl
cp ../.././ext/dl/lib/dl/win32.rb ../../.ext/common/dl
cp ../.././ext/dl/lib/dl/types.rb ../../.ext/common/dl
In file included from dl.c:104:0:
callback.func:1:1: warning: data definition has no type or storage class
callback.func:1:7: error: expected identifier or ‘(’ before ‘long’
In file included from dl.c:104:0:
callback.func:78:33: error: expected ‘)’ before ‘(’ token
callback.func:79:3: warning: data definition has no type or storage class
callback.func:79:24: error: ‘proc’ undeclared here (not in a function)
callback.func:79:39: error: ‘argc’ undeclared here (not in a function)
callback.func:79:45: error: ‘argv’ undeclared here (not in a function)
callback.func:82:1: error: expected identifier or ‘(’ before ‘}’ token
dl.c:106:1: error: expected ‘;’, ‘,’ or ‘)’ before ‘static’
make[1]: *** [dl.o] Error 1
make[1]: *** Waiting for unfinished jobs....

Found that it is known problem see for example: http://aur.archlinux.org/packages.php?ID=30221

Comment 8 Alex Legler (RETIRED) archtester

2011-12-29 15:07:36 UTC

(In reply to comment #7)
> callback.func:1:7: error: expected identifier or ‘(’ before ‘long’
...

PLEASE DO NOT report this error any more. The issue is known, has a fix and is just waiting for a glibc patch. Thanks.

Comment 9 Mark Loeser (RETIRED) gentoo-dev

2011-12-29 20:28:15 UTC

ppc/ppc64 done

Comment 10 Jeroen Roovers (RETIRED) gentoo-dev

2011-12-30 03:53:42 UTC

Stable for HPPA.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2012-01-02 18:59:48 UTC

CVE-2011-4815 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4815):
  Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting
  the ability to trigger hash collisions predictably, which allows
  context-dependent attackers to cause a denial of service (CPU consumption)
  via crafted input to an application that maintains a hash table.

Comment 12 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-01-04 17:37:39 UTC

x86 stable

Comment 13 Raúl Porcel (RETIRED) gentoo-dev

2012-01-08 15:39:41 UTC

alpha/arm/ia64/s390/sh/sparc stable

Comment 14 Tim Sammut (RETIRED) gentoo-dev

2012-01-08 19:03:38 UTC

Thanks, everyone. GLSA Vote: yes.

Comment 15 Hans de Graaff gentoo-dev

2012-03-02 08:24:56 UTC

This is also fixed in ruby-enterprise 1.8.7-2012.02 which got released about a week ago.

Comment 16 Sean Amoss (RETIRED) gentoo-dev

2012-03-02 20:42:48 UTC

Added to existing GLSA request.

Comment 17 Dion Moult (RETIRED) gentoo-dev

2013-03-24 11:13:48 UTC

A quick note that dev-lang/ruby-enterprise has been treecleaned, so it is no longer relevant to this bug.

Comment 18 GLSAMaker/CVETool Bot gentoo-dev

2014-12-13 19:23:24 UTC

This issue was resolved and addressed in
 GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml
by GLSA coordinator Sean Amoss (ackle).