Bug 452198 (CVE-2012-6109)

Description Agostino Sarubbo 2013-01-15 10:21:55 UTC

From $URL :

Three issues were noted in recent release of upstream Rake.  All are DoS
issues.

 From https://bugzilla.redhat.com/show_bug.cgi?id=895277 (2 issues):

Upstream released [1] Rack 1.4.2, 1.3.7, 1.2.6, and 1.1.4 to fix a
denial of service condition when Rack parses content with a certain
Content-Disposition header as noted in the original report [2].

This has been fixed in git [3].

Additionally, a second flaw that was fixed in 1.4.4, 1.3.9, 1.2.7, and
1.1.5 was also announced [4] that creates a minor denial of service
condition, this time in the Rack::Auth::AbstractRequest, where it
symbolized arbitrary strings (apparently this has something to do with
authentication, but there is no further information provided other than
the fix [5] itself, which is noted as "a breaking API change").

[1] http://rack.github.com/
[2] https://groups.google.com/forum/#!msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ
[3] https://github.com/rack/rack/commit/4fc44671b3cad569421f4f8b775c0590b86f575e
[4] https://groups.google.com/forum/#!topic/rack-devel/ImYOqcGiksw/discussion
[5] https://github.com/rack/rack/commit/0c76175fcccad74ba2f991c487d3669c28a297c8

And from https://bugzilla.redhat.com/show_bug.cgi?id=895282:

Upstream released [1] Rack 1.4.3 and 1.3.8 to fix a denial of service
condition due to a malicious client sending excessively long lines that
trigger an out-of-memory error in Rack.

This has been fixed in git [2].


[1] https://groups.google.com/forum/#!topic/rack-devel/-MWPHDeGWtI/discussion
[2] https://github.com/rack/rack/commit/f95113402b7239f225282806673e1b6424522b18