Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 488298 (CVE-2013-4389) - <dev-ruby/actionmailer-3.2.15 : Possible DoS (CVE-2013-4389)
Summary: <dev-ruby/actionmailer-3.2.15 : Possible DoS (CVE-2013-4389)
Alias: CVE-2013-4389
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
: 489212 (view as bug list)
Depends on:
Reported: 2013-10-16 20:45 UTC by Agostino Sarubbo
Modified: 2013-11-04 13:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-16 20:45:26 UTC
From ${URL} :

Possible DoS Vulnerability in Action Mailer

There is a possible DoS vulnerability in the log subscriber component of
Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2013-4389.

Versions Affected:  3.x.x
Not affected:       4.0.x, 2.3.x
Fixed Versions:     3.2.15

A carefully crafted email address in conjunction with the Action Mailer logger
format string could take advantage of a bug in Ruby's sprintf implementation
and possibly lead to a denial of service attack.

Impacted Ruby code will look something like this:

  "some string #{user_input}" % some_number

All users running an affected release should either upgrade or use one of the
work arounds immediately. 

The FIXED releases are available at the normal locations. 

If you can't upgrade or apply patch to your system, you can work around the
issue by using the following monkey patch after requiring Action Mailer:

module ActionMailer
  class LogSubscriber < ActiveSupport::LogSubscriber
    def deliver(event)
      recipients = Array.wrap(event.payload[:to]).join(', ')
      info("\nSent mail to #{recipients} (#{event.duration.round(1)}ms)")

To aid users who aren't able to upgrade immediately we have provided patches for the two supported 
release series.  They are in git-am format and consist of a single changeset. 

* 3-2-log-subscriber.patch - Patch for 3.2 series 
* 3-1-log-subscriber.patch - Patch for 3.1 series 
* 3-0-log-subscriber.patch - Patch for 3.0 series 

Please note that only the 4.0.x, 3.2.x, and 2.3.x series are supported at present.  Users of 
earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the 
continued availability of security fixes for unsupported releases.

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev Security 2013-10-17 06:39:09 UTC
Rails 3.2.15 is in the tree now. No stable versions are affected.

I haven't decided yet what to do with Rails 3.1: patch or remove.
Comment 2 Hans de Graaff gentoo-dev Security 2013-10-19 06:07:19 UTC
I have just masked Rails 3.1 for removal, so we should be all done for this issue.
Comment 3 Agostino Sarubbo gentoo-dev 2013-10-24 04:50:11 UTC
*** Bug 489212 has been marked as a duplicate of this bug. ***