Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 396301 (CVE-2011-4815)

Summary: <dev-lang/ruby-1.8.7_p357, dev-lang/ruby-enterprise Hash collision DoS (CVE-2011-4815)
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: artee, ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.ruby-lang.org/en/news/2011/12/28/denial-of-service-attack-was-found-for-rubys-hash-algorithm/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 396397    

Description Hans de Graaff gentoo-dev Security 2011-12-28 13:50:09 UTC
"The situation is similar to the one found for Perl in 2003. In 1.8 series of Ruby, we use a deterministic hash function to hash a string. Here the "deterministic" means no other bits of information than the input string itself is involved to generate a hash value. So you can precalculate a string's hash value beforehand. By collecting a series of strings that have the identical hash value, an attacker can let ruby process collide bins of hash tables (including Hash class instances). Hash tables' amortized O(1) attribute depends on uniformity of distribution of hash values. By giving such crafted input, an attacker can let hash tables work much slower than expected (namely O(n2) to construct a n-elements table this case)."

ruby 1.9 is not affected.

It's likely that ruby-enterprise-edition is also affected, but that has not been confirmed.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-12-28 14:26:24 UTC
ruby-enterprise uses the same code.
Comment 2 Hans de Graaff gentoo-dev Security 2011-12-28 14:37:45 UTC
I have a version of dev-lang/ruby-1.8.7_p357 locally that I will test first.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-12-28 17:38:38 UTC
Arches, please test and mark stable:
=dev-lang/ruby-1.8.7_p357
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 teidakankan 2011-12-28 22:47:30 UTC
I needed this glibc patch to compile this on ~x86:

https://bugs.gentoo.org/show_bug.cgi?id=370413
Comment 5 Geoff Madden 2011-12-29 07:56:15 UTC
Hi I placed spanky's patch into /etc/portage/patches/sys-libs/glibc. Although the path is mentioned in /var/tmp/portage/sys-libs/glibc-2.14-r1,epatch_user.applied on checking the log file the 0068******* isn't mentioned at the top of the patches.
So my question is what did I miss doing,or should I read further down.
Geoff
Comment 6 Agostino Sarubbo gentoo-dev 2011-12-29 09:55:12 UTC
amd64 stable
Comment 7 Roman Porizka 2011-12-29 15:03:57 UTC
Could not compile ruby 1.8.7_p357, because of:


cp ../.././ext/dl/lib/dl/import.rb ../../.ext/common/dl
cp ../.././ext/dl/lib/dl/struct.rb ../../.ext/common/dl
cp ../.././ext/dl/lib/dl/win32.rb ../../.ext/common/dl
cp ../.././ext/dl/lib/dl/types.rb ../../.ext/common/dl
In file included from dl.c:104:0:
callback.func:1:1: warning: data definition has no type or storage class
callback.func:1:7: error: expected identifier or ‘(’ before ‘long’
In file included from dl.c:104:0:
callback.func:78:33: error: expected ‘)’ before ‘(’ token
callback.func:79:3: warning: data definition has no type or storage class
callback.func:79:24: error: ‘proc’ undeclared here (not in a function)
callback.func:79:39: error: ‘argc’ undeclared here (not in a function)
callback.func:79:45: error: ‘argv’ undeclared here (not in a function)
callback.func:82:1: error: expected identifier or ‘(’ before ‘}’ token
dl.c:106:1: error: expected ‘;’, ‘,’ or ‘)’ before ‘static’
make[1]: *** [dl.o] Error 1
make[1]: *** Waiting for unfinished jobs....

Found that it is known problem see for example: http://aur.archlinux.org/packages.php?ID=30221
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-12-29 15:07:36 UTC
(In reply to comment #7)
> callback.func:1:7: error: expected identifier or ‘(’ before ‘long’
...

PLEASE DO NOT report this error any more. The issue is known, has a fix and is just waiting for a glibc patch. Thanks.
Comment 9 Mark Loeser (RETIRED) gentoo-dev 2011-12-29 20:28:15 UTC
ppc/ppc64 done
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2011-12-30 03:53:42 UTC
Stable for HPPA.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-01-02 18:59:48 UTC
CVE-2011-4815 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4815):
  Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting
  the ability to trigger hash collisions predictably, which allows
  context-dependent attackers to cause a denial of service (CPU consumption)
  via crafted input to an application that maintains a hash table.
Comment 12 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-01-04 17:37:39 UTC
x86 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2012-01-08 15:39:41 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2012-01-08 19:03:38 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 15 Hans de Graaff gentoo-dev Security 2012-03-02 08:24:56 UTC
This is also fixed in ruby-enterprise 1.8.7-2012.02 which got released about a week ago.
Comment 16 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-02 20:42:48 UTC
Added to existing GLSA request.
Comment 17 Dion Moult (RETIRED) gentoo-dev 2013-03-24 11:13:48 UTC
A quick note that dev-lang/ruby-enterprise has been treecleaned, so it is no longer relevant to this bug.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 19:23:24 UTC
This issue was resolved and addressed in
 GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml
by GLSA coordinator Sean Amoss (ackle).