Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 552324 (CVE-2015-3225) - <dev-ruby/rack-{1.4.6,1.5.4,1.6.2}: Denial of Service (CVE-2015-3225)
Summary: <dev-ruby/rack-{1.4.6,1.5.4,1.6.2}: Denial of Service (CVE-2015-3225)
Status: RESOLVED FIXED
Alias: CVE-2015-3225
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://groups.google.com/forum/#!top...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-16 19:57 UTC by Hans de Graaff
Modified: 2015-08-10 14:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2015-06-16 19:57:16 UTC
Potential Denial of Service Vulnerability in Rack

There is a potential denial of service vulnerability in Rack. This
vulnerability has been assigned the CVE identifier CVE-2015-3225.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     1.6.2, 1.5.4

Impact
------
Carefully crafted requests can cause a `SystemStackError` and potentially
cause a denial of service attack.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.


Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset.

* 1-6-deep_params.patch - Patch for 1.6 series
* 1-5-deep_params.patch - Patch for 1.5 series

Please note that only the 1.6.x and 1.5.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
-------

Special thanks to Tomek Rabczak from the NCC Group for reporting this!
Comment 1 Hans de Graaff gentoo-dev Security 2015-06-16 19:59:43 UTC
dev-ruby/rack-1.5.4 and dev-ruby/rack-1.6.2 are now in the tree.
Comment 2 Hans de Graaff gentoo-dev Security 2015-06-16 20:02:19 UTC
Please test and mark stable:

=dev-ruby/rack-1.5.4
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-16 20:05:13 UTC
the 1.4 slot is stabilized, am I correct in assessing this should be EOLed in GLSA?
Comment 4 Hans de Graaff gentoo-dev Security 2015-06-16 21:18:41 UTC
(In reply to Kristian Fiskerstrand from comment #3)
> the 1.4 slot is stabilized, am I correct in assessing this should be EOLed
> in GLSA?

After discussing this with upstream they released rack 1.4.6 so we can keep Rails 3.2.x around. I've just added that to the tree. New full stable list:

=dev-ruby/rack-1.4.6
=dev-ruby/rack-1.5.4
Comment 5 Agostino Sarubbo gentoo-dev 2015-06-17 07:17:11 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-06-17 07:21:52 UTC
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-19 05:23:35 UTC
Stable for HPPA PPC64.
Comment 8 Agostino Sarubbo gentoo-dev 2015-06-24 09:01:56 UTC
ppc stable
Comment 9 Markus Meier gentoo-dev 2015-06-28 09:12:51 UTC
arm stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-28 15:20:44 UTC
alpha stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-16 19:46:01 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-07-23 09:38:13 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Manuel Rüger (RETIRED) gentoo-dev 2015-07-23 12:27:51 UTC
  23 Jul 2015; Manuel Rüger <mrueg@gentoo.org> -rack-1.4.5-r1.ebuild,
  -rack-1.5.2-r1.ebuild:
  Remove vulnerable.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-08-09 02:53:40 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 15 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-08-10 14:49:35 UTC
GLSA Vote: No