Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 458776 (CVE-2013-0269) - <dev-lang/ruby-1.9.3_p392: DoS vulnerabilities (CVE-2013-{0269,1821})
Summary: <dev-lang/ruby-1.9.3_p392: DoS vulnerabilities (CVE-2013-{0269,1821})
Status: RESOLVED FIXED
Alias: CVE-2013-0269
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks: CVE-2012-4464 CVE-2012-5371
  Show dependency tree
 
Reported: 2013-02-22 18:57 UTC by Hans de Graaff
Modified: 2014-12-13 19:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Hans de Graaff gentoo-dev Security 2013-02-22 19:22:14 UTC 
Now in the tree:

=dev-lang/ruby-1.9.3_p392
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-23 16:37:24 UTC 
(In reply to comment #1)
> Now in the tree:
> 
> =dev-lang/ruby-1.9.3_p392

Thanks, Hans.

Arches, please test and mark stable. 

Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
Comment 3 Agostino Sarubbo gentoo-dev 2013-02-23 21:11:33 UTC 
ppc stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-02-23 22:02:45 UTC 
ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-02-24 12:12:59 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-02-24 12:16:11 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-02-24 15:08:26 UTC 
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-02-24 17:21:50 UTC 
hppa stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-02-24 18:50:54 UTC 
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-02-24 19:49:15 UTC 
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-02-24 19:57:14 UTC 
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-02-26 10:22:00 UTC 
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-02-26 18:52:56 UTC 
sh stable
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-03 21:31:19 UTC 
GLSA vote: yes.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:21:51 UTC 
CVE-2013-0269 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0269):
  The JSON gem 1.7.x before 1.7.7, 1.6.x before 1.6.8, and 1.5.x before 1.5.5
  allows remote attackers to cause a denial of service (resource consumption)
  or bypass the mass assignment protection mechanism via a crafted JSON
  document that triggers the creation of arbitrary Ruby symbols or certain
  internal objects, as demonstrated by conducting a SQL injection attack
  against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-04-11 16:57:36 UTC 
CVE-2013-1821 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1821):
  lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows
  remote attackers to cause a denial of service (memory consumption and crash)
  via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE)
  attack.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 02:57:37 UTC 
GLSA Vote: Yes
Added to an existing GLSA request.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 19:23:53 UTC 
This issue was resolved and addressed in
 GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml
by GLSA coordinator Sean Amoss (ackle).