616480 – (CVE-2017-6181) <dev-lang/ruby-2.4.1: infinite loop in parse_char_class() in Onigmo

Bug 616480 (CVE-2017-6181) - <dev-lang/ruby-2.4.1: infinite loop in parse_char_class() in Onigmo

Summary: <dev-lang/ruby-2.4.1: infinite loop in parse_char_class() in Onigmo

Status:	RESOLVED FIXED

Alias:	CVE-2017-6181

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	~3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-04-24 11:49 UTC by Agostino Sarubbo
Modified:	2017-04-28 05:41 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-04-24 11:49:42 UTC

From ${URL} :

The parse_char_class function in regparse.c in the Onigmo (aka
Oniguruma-mod) regular expression library, as used in Ruby 2.4.0,
allows remote attackers to cause a denial of service (deep recursion
and application crash) via a crafted regular expression.

Upstream issue:

https://bugs.ruby-lang.org/issues/13234


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Hans de Graaff gentoo-dev

2017-04-27 06:00:12 UTC

This is already fixed in ruby 2.4.1 which is in the tree already. There are no stable versions in this slot and I have removed the older 2.4.x versions.

Comment 2 Yury German Gentoo Infrastructure

2017-04-28 05:41:32 UTC

Hans, thank you ... changing whiteboard since no stable version in the slot and setting no glsa.