Bug 1209967 (CVE-2023-28756) - VUL-0: CVE-2023-28756: ruby: ReDoS vulnerability in Time
Summary: VUL-0: CVE-2023-28756: ruby: ReDoS vulnerability in Time
Status: NEW
Alias: CVE-2023-28756
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Marcus Rückert
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/361957/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-28756:6.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-30 14:12 UTC by Robert Frohl
Modified: 2023-12-11 07:41 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
stoyan.manolov: needinfo? (mrueckert)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2023-03-30 14:12:53 UTC
We have released the time gem version 0.1.1 and 0.2.2 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28756.


Details:

The Time parser mishandles invalid strings that have specific characters. It causes an increase in execution time for parsing strings to Time objects.

A ReDoS issue was discovered in the Time gem 0.1.0 and 0.2.1 and Time library of Ruby 2.7.7.


Recommended action:

We recommend to update the time gem to version 0.2.2 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:

    For Ruby 3.0 users: Update to time 0.1.1
    For Ruby 3.1/3.2 users: Update to time 0.2.2

You can use gem update time to update it. If you are using bundler, please add gem "time", ">= 0.2.2" to your Gemfile.

Unfortunately, time gem only works with Ruby 3.0 or later. If you are using Ruby 2.7, please use the latest version of Ruby.


Affected versions:

    Ruby 2.7.7 or lower
    time gem 0.1.0
    time gem 0.2.1

Credits:

Thanks to ooooooo_q for discovering this issue.

https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
Comment 3 OBSbugzilla Bot 2023-03-30 16:05:04 UTC
This is an autogenerated message for OBS integration:
This bug (1209967) was mentioned in
https://build.opensuse.org/request/show/1075579 Factory / ruby3.2
Comment 11 Maintenance Automation 2023-10-24 16:30:37 UTC
SUSE-SU-2023:4176-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1193035, 1205726, 1209891, 1209967
CVE References: CVE-2021-33621, CVE-2021-41817, CVE-2023-28755, CVE-2023-28756
Sources used:
openSUSE Leap 15.4 (src): ruby2.5-2.5.9-150000.4.29.1
openSUSE Leap 15.5 (src): ruby2.5-2.5.9-150000.4.29.1
Basesystem Module 15-SP4 (src): ruby2.5-2.5.9-150000.4.29.1
Basesystem Module 15-SP5 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Manager Proxy 4.2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Manager Retail Branch Server 4.2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Manager Server 4.2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Enterprise Storage 7.1 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE CaaS Platform 4.0 (src): ruby2.5-2.5.9-150000.4.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.