Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 460164 (CVE-2013-1800) - <dev-ruby/crack-0.3.2: YAML parameter parsing vulnerability (CVE-2013-1800)
Summary: <dev-ruby/crack-0.3.2: YAML parameter parsing vulnerability (CVE-2013-1800)
Status: RESOLVED FIXED
Alias: CVE-2013-1800
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-03 18:17 UTC by Agostino Sarubbo
Modified: 2014-04-07 20:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-03 18:17:20 UTC
From ${URL} :

Tasha Drew reports:

Researchers investigating the Rails parameter parsing vulnerability discovered 
that the same or similar vulnerable code had made its way into multiple other 
libraries. If your application uses these libraries to process untrusted data, 
it may still be vulnerable even if you have upgraded Rails. Check your Gemfile 
and Gemfile.lock for vulnerable versions of the following libraries, and if you
are using one, update it immediately.

You can update each of these by using "bundle update <gem name>". 

crack

Vulnerable: <= 0.3.1

Fixed: 0.3.2

External references:

https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately

https://github.com/jnunemaker/crack/commit/e3da1212a1f84a898ee3601336d1dbbf118fb5f6

https://rubygems.org/gems/crack/
Comment 1 Hans de Graaff gentoo-dev 2013-03-03 18:44:56 UTC
Crack 0.3.2 has already been in the tree for several months, so we can mark that stable.

=dev-ruby/crack-0.3.2
Comment 2 Agostino Sarubbo gentoo-dev 2013-03-04 09:00:41 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-03-04 09:19:56 UTC
x86 stable
Comment 4 Sean Amoss gentoo-dev Security 2013-03-17 19:01:27 UTC
New GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-04-11 16:55:18 UTC
CVE-2013-1800 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1800):
  The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of
  string values, which might allow remote attackers to conduct
  object-injection attacks and execute arbitrary code, or cause a denial of
  service (memory and CPU consumption) by leveraging Action Pack support for
  (1) YAML type conversion or (2) Symbol type conversion, a similar
  vulnerability to CVE-2013-0156.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-04-07 20:50:11 UTC
This issue was resolved and addressed in
 GLSA 201404-04 at http://security.gentoo.org/glsa/glsa-201404-04.xml
by GLSA coordinator Mikle Kolyada (Zlogene).