Bug 1212890 (CVE-2023-36617) - VUL-0: CVE-2023-36617: ruby2.1,ruby,ruby2.5,ruby3.2: rubygem-uri: vulnerability for ReDoS
Summary: VUL-0: CVE-2023-36617: ruby2.1,ruby,ruby2.5,ruby3.2: rubygem-uri: vulnerabili...
Status: NEW
Alias: CVE-2023-36617
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Marcus Rückert
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/370885/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-36617:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-30 09:28 UTC by Cathy Hu
Modified: 2023-09-15 00:11 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2023-06-30 09:28:24 UTC
CVE-2023-36617

A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The
URI parser mishandles invalid URLs that have specific characters. There is an
increase in execution time for parsing strings to URI objects with
rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an
incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36617
https://bugzilla.redhat.com/show_bug.cgi?id=2218614
https://www.cve.org/CVERecord?id=CVE-2023-36617
https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/
Comment 1 Cathy Hu 2023-06-30 09:41:34 UTC
Tracking as affected:

- SUSE:SLE-15:Update/ruby2.5
- SUSE:ALP:Source:Standard:1.0/ruby3.2  3.2.2
- openSUSE:Factory/ruby3.2              3.2.2
Comment 2 Cathy Hu 2023-06-30 09:42:08 UTC
Fix: https://github.com/ruby/ruby/pull/7995/files
Comment 6 Marcus Rückert 2023-09-15 00:11:31 UTC
(In reply to Hu from comment #2)
> Fix: https://github.com/ruby/ruby/pull/7995/files

This is actually the fix for the intree copy of uri in bundler.

Our bundler package does not have that intree copy yet.

```
commit 995ce947bed7e92bcda185f164d43089e6a1cf5e
Author: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date:   Sat Apr 22 20:09:10 2023 +0900

    [ruby/uri] Fix quadratic backtracking on invalid port number
    
    https://hackerone.com/reports/1958260
    
    https://github.com/ruby/uri/commit/9d7bcef1e6

commit 1eff362492f4a0ca8d6d036c958afa7961e827f0
Author: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date:   Sat Apr 22 20:08:32 2023 +0900

    [ruby/uri] Fix quadratic backtracking on invalid relative URI
    
    https://hackerone.com/reports/1958260
    
    https://github.com/ruby/uri/commit/9010ee2536

```