Bug 1212890 (CVE-2023-36617)

Summary: VUL-0: CVE-2023-36617: ruby2.1,ruby,ruby2.5,ruby3.2: rubygem-uri: vulnerability for ReDoS
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Marcus Rückert <mrueckert>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: lars.vogdt, mrueckert, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370885/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-36617:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-06-30 09:28:24 UTC 
CVE-2023-36617

A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The
URI parser mishandles invalid URLs that have specific characters. There is an
increase in execution time for parsing strings to URI objects with
rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an
incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36617
https://bugzilla.redhat.com/show_bug.cgi?id=2218614
https://www.cve.org/CVERecord?id=CVE-2023-36617
https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/
Comment 1 Cathy Hu 2023-06-30 09:41:34 UTC 
Tracking as affected:

- SUSE:SLE-15:Update/ruby2.5
- SUSE:ALP:Source:Standard:1.0/ruby3.2  3.2.2
- openSUSE:Factory/ruby3.2              3.2.2
Comment 2 Cathy Hu 2023-06-30 09:42:08 UTC 
Fix: https://github.com/ruby/ruby/pull/7995/files
Comment 6 Marcus Rückert 2023-09-15 00:11:31 UTC 
(In reply to Hu from comment #2)
> Fix: https://github.com/ruby/ruby/pull/7995/files

This is actually the fix for the intree copy of uri in bundler.

Our bundler package does not have that intree copy yet.

```
commit 995ce947bed7e92bcda185f164d43089e6a1cf5e
Author: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date:   Sat Apr 22 20:09:10 2023 +0900

    [ruby/uri] Fix quadratic backtracking on invalid port number
    
    https://hackerone.com/reports/1958260
    
    https://github.com/ruby/uri/commit/9d7bcef1e6

commit 1eff362492f4a0ca8d6d036c958afa7961e827f0
Author: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date:   Sat Apr 22 20:08:32 2023 +0900

    [ruby/uri] Fix quadratic backtracking on invalid relative URI
    
    https://hackerone.com/reports/1958260
    
    https://github.com/ruby/uri/commit/9010ee2536

```