Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 492282 (CVE-2013-4164) - <dev-lang/ruby-{1.9.3_p484,2.0.0_p353}: heap overflow in floating point parsing (CVE-2013-4164)
Summary: <dev-lang/ruby-{1.9.3_p484,2.0.0_p353}: heap overflow in floating point parsi...
Status: RESOLVED FIXED
Alias: CVE-2013-4164
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
Depends on: ruby-1.8 475308 483708 488414 492268
Blocks: 483466
  Show dependency tree
 
Reported: 2013-11-22 10:43 UTC by Agostino Sarubbo
Modified: 2019-09-13 05:28 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-11-22 10:43:51 UTC
From ${URL} :

Ruby Programming Language Project reports:

https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/

  Heap Overflow in Floating Point Parsing (CVE-2013-4164)

  There is an overflow in floating point number parsing in Ruby. This
  vulnerability has been assigned the CVE identifier CVE-2013-4164.

  Details
  Any time a string is converted to a floating point value, a specially
  crafted string can cause a heap overflow. This can lead to a denial of
  service attack via segmentation faults and possibly arbitrary code execution.
  Any program that converts input of unknown origin to floating point values
  (especially common when accepting JSON) are vulnerable.

  Vulnerable code looks something like this:

    untrusted_data.to_f

  But any code that produces floating point values from external data is
  vulnerable, such as this:

    JSON.parse untrusted_data

  Note that this bug is similar to CVE-2009-0689.

  All users running an affected release should upgrade to the fixed versions
  of ruby.

  Affected versions

  All ruby 1.8 versions
  All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 484
  All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 353
  All ruby 2.1 versions prior to ruby 2.1.0 preview1 prior to trunk revision
  43780

  Solutions

  All users are recommended to upgrade to Ruby 1.9.3 patchlevel 484,
  ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2.

  Please note that ruby 1.8 series or any earlier releases are already
  obsoleted. There is no plan to release new fixed versions for them. Users of
  such versions are advised to upgrade as soon as possible as we cannot
  guarantee the continued availability of security fixes for unsupported
  releases.

  Credits
  Thanks to Charlie Somerville for reporting this issue!

Upstream announcements of fixed versions 1.9.3p484 and 2.0.0p353:
https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/
https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/

Upstream commits (trunk, 1.9.3 and 2.0.0):
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43775
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43776
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43778

GitHub repositories mirror commits:
https://github.com/ruby/ruby/commit/5cb83d9dab13e14e6146f455ffd9fed4254d238f
https://github.com/ruby/ruby/commit/60c29bbbf6574e0e947c56e71c3c3ca11620ee15
https://github.com/ruby/ruby/commit/46cd2f463c5668f53436076e67db59fdc33ff384

External references:
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev Security 2013-11-22 19:23:26 UTC
ruby-1.9.3_p484 and ruby-2.0.0_p353 are now in the tree.

ruby 1.8 is deprecated and we'll work on masking it as soon as possible.
Comment 2 Agostino Sarubbo gentoo-dev 2013-11-24 15:52:49 UTC
(In reply to Agostino Sarubbo from comment #0)
> @maintainer(s): after the bump, in case we need to stabilize the package,
> please let us know if it is ready for the stabilization or not.
Comment 3 Mina Naguib 2013-11-24 16:42:13 UTC
There exists a backported patch for CVE-2013-4164 for ruby 1.8:

http://makandracards.com/railslts/19977-backported-fix-for-heap-overflow-in-floating-point-parsing-cve-2013-4164

It might be a good idea to bring this in to stall/in conjunction with deprecating MRI 1.8.
Comment 4 Hans de Graaff gentoo-dev Security 2013-11-26 10:56:47 UTC
(In reply to Mina Naguib from comment #3)
> There exists a backported patch for CVE-2013-4164 for ruby 1.8:
> 
> http://makandracards.com/railslts/19977-backported-fix-for-heap-overflow-in-
> floating-point-parsing-cve-2013-4164
> 
> It might be a good idea to bring this in to stall/in conjunction with
> deprecating MRI 1.8.

Thanks for letting us know about the patch, but we were already planning to mask and remove ruby 1.8 before the end of the year. This security issue is simply speeding up the goal by a few weeks at the most. We do not intend to patch ruby 1.8.
Comment 5 Hans de Graaff gentoo-dev Security 2013-11-30 07:44:29 UTC
I think we can mark the new ruby versions stable:

=dev-lang/ruby-1.9.3_p484
=dev-lang/ruby.2.0.0_p353

For ruby 1.8 removal we also need a few stable bugs to go through first. These are added as blockers on this bug.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2013-11-30 15:51:37 UTC
Stable for HPPA.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 20:44:01 UTC
CVE-2013-4164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4164):
  Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before
  2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780
  allows context-dependent attackers to cause a denial of service
  (segmentation fault) and possibly execute arbitrary code via a string that
  is converted to a floating point value, as demonstrated using (1) the to_f
  method or (2) JSON.parse.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 20:48:59 UTC
CVE-2013-4407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4407):
  HTTP::Body::Multipart in the HTTP-Body 1.08, 1.17, and earlier module for
  Perl uses the part of the uploaded file's name after the first "." character
  as the suffix of a temporary file, which makes it easier for remote
  attackers to conduct attacks by leveraging subsequent behavior that may
  assume the suffix is well-formed.
Comment 9 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-12 20:50:36 UTC
Ignore the second CVE.
Comment 10 Agostino Sarubbo gentoo-dev 2013-12-15 17:18:26 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-12-15 17:43:42 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-12-15 17:43:54 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-12-15 17:44:05 UTC
x86 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-12-15 18:24:20 UTC
alpha stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-12-15 18:24:28 UTC
arm stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-12-15 18:24:37 UTC
sparc stable
Comment 17 Akinori Hattori gentoo-dev 2013-12-29 14:47:54 UTC
ia64 stable
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2013-12-29 21:28:02 UTC
Please check if =dev-lang/ruby.2.0.0_p353 was stabled for arm as per this bug looks like only ruby-1.9.3_p484.

Setting arm arch back.
Comment 19 Markus Meier gentoo-dev 2014-01-04 13:30:05 UTC
arm stable, all arches done.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2014-01-04 18:26:11 UTC
Maintainer(s), please drop the vulnerable version(s).

<dev-lang/ruby-1.9.3_p484
<dev-lang/ruby.2.0.0_p353
1.8 Version.
Comment 21 Hans de Graaff gentoo-dev Security 2014-01-05 13:19:04 UTC
(In reply to Yury German from comment #20)

> <dev-lang/ruby-1.9.3_p484
> <dev-lang/ruby.2.0.0_p353

These are now dropped.

> 1.8 Version.

Still in progress.
Comment 22 Hans de Graaff gentoo-dev Security 2014-05-04 08:39:50 UTC
(In reply to Hans de Graaff from comment #21)

> > 1.8 Version.
> 
> Still in progress.

Ruby 1.8 has been masked and removed.
Comment 23 Yury German Gentoo Infrastructure gentoo-dev 2014-05-04 16:24:13 UTC
Maintainer(s), Thank you for cleanup!

Added to an existing GLSA request.
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 19:24:06 UTC
This issue was resolved and addressed in
 GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 25 Abdul Khan 2019-09-13 05:28:07 UTC
This is so beneficial information for everyone. I hope all are taking benefits of this.
https://www.duaistikharaforlove.com/