The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6
through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows
remote attackers to cause a denial of service (infinite loop and crash) via
multiple long requests to a Ruby socket, related to memory allocation
failure, and as demonstrated against Webrick.
I am unsure whether this also affects 287, as the author of the advisory confirmed only 286. It contains a reproducer though.
Steven Christey pointed out:
Note the following DoS in the regular expression engine, which smells like
a NULL pointer dereference. This appears to have been fixed in the latest
release. A *likely* (but not provable) changelog entry for the fix is:
"regex.c (DOUBLE_STACK, re_compile_fastmap0, re_adjust_startpos),
(re_search, re_match_exec): check if failed to allocate memory."
(In reply to comment #1)
> I am unsure whether this also affects 287, as the author of the advisory
> confirmed only 286. It contains a reproducer though.
Running the reproduce script against a webrick server did suck up all available memory with p287 as well. A more decent server such as mongrel quickly noticed that something fishy was going on and aborted the test requests, so the bug may well be in webrick.
any news here?
Tried the exploit once more. It did cause Webrick to print the whole ~140MB worth of A's from the exploit to the terminal. Redirecting that to a file took away the terminal CPU load, Webrick itself returned to normal operation after the attack.
After reviewing the CVE and other Advisories, I deem this issue is fixed in the tree, all versions are stable and no vunlerable versions are left.
I vote NO. Closing NOGLSA.