Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 798417 (CVE-2021-32823) - <dev-ruby/bindata-2.4.10: DoS by creating certain classes (CVE-2021-32823)
Summary: <dev-ruby/bindata-2.4.10: DoS by creating certain classes (CVE-2021-32823)
Status: RESOLVED FIXED
Alias: CVE-2021-32823
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/dmendel/bindata/bl...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-24 15:03 UTC by John Helmert III
Modified: 2021-08-08 05:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-24 15:03:33 UTC
CVE-2021-32823:

In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers.

Patch: https://github.com/dmendel/bindata/commit/d99f050b88337559be2cb35906c1f8da49531323
Please bump to 2.4.10.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:21:20 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:29:28 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:37:26 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:45:31 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:53:36 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:01:30 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:09:51 UTC
Package list is empty or all packages have requested keywords.
Comment 8 Larry the Git Cow gentoo-dev 2021-08-08 05:56:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7b08ad8c26cfdf83481f70d4010d0ab73333157

commit f7b08ad8c26cfdf83481f70d4010d0ab73333157
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-08-08 05:51:57 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-08-08 05:51:57 +0000

    dev-ruby/bindata: cleanup
    
    Bug: https://bugs.gentoo.org/798417
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/bindata/Manifest             |  3 ---
 dev-ruby/bindata/bindata-2.4.6.ebuild | 22 ----------------------
 dev-ruby/bindata/bindata-2.4.7.ebuild | 22 ----------------------
 dev-ruby/bindata/bindata-2.4.8.ebuild | 22 ----------------------
 4 files changed, 69 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bec4ab7f5ce551ca1e954ff50cf8b9467f9cd5d

commit 2bec4ab7f5ce551ca1e954ff50cf8b9467f9cd5d
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-08-08 05:51:16 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-08-08 05:51:16 +0000

    dev-ruby/bindata: add 2.4.10
    
    Bug: https://bugs.gentoo.org/798417
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/bindata/Manifest              |  1 +
 dev-ruby/bindata/bindata-2.4.10.ebuild | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-08 05:59:41 UTC
Thanks, all done!