Bug 864431 – CVE-2014-0082: VUL-0: rubygem-rails-3_2: Denial of Service Vulnerability in Action View when using render :text

Bug 864431 - (CVE-2014-0082) CVE-2014-0082: VUL-0: rubygem-rails-3_2: Denial of Service Vulnerability in Action View when using render :text

(CVE-2014-0082)
Summary:	CVE-2014-0082: VUL-0: rubygem-rails-3_2: Denial of Service Vulnerability in A...

Status:	VERIFIED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp2:57536
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-02-18 16:02 UTC by Victor Pereira
Modified:	2014-06-17 10:06 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
patch for 3.2 (1.88 KB, patch) 2014-02-18 16:02 UTC, Victor Pereira	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2014-02-18 16:02:08 UTC

Created attachment 578968 [details]
patch for 3.2

Denial of Service Vulnerability in Action View when using render :text

There is a denial of service vulnerability in the text rendering component of Action View.

Versions Affected: 3.0.x, 3.1.x, 3.2.x
Not affected: 4.0.x
Fixed Versions: 3.2.17

Impact
------

Strings sent in specially crafted headers will be converted to symbols. This can
cause a denial of service since symbols are not removed by the garbage collector.
All users running an affected release should either upgrade or use one of the work
arounds immediately.

Releases
--------

The FIXED releases are available at the normal locations.

Workarounds
-----------

Users who cannot upgrade may apply this monkey patch as an initializer to work around
the issue:

```
ActiveSupport.on_load(:action_view) do
  ActionView::Template::Text.class_eval do
    def formats
      [@mime_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s]
    end
  end
end
```

Patches
-------

To aid users who aren't able to upgrade immediately we have provided patches for the
supported release series. They are in git-am format and consist of a single changeset.

 * 4-0-render_text_dos.patch - Patch for 4.0 series
 * 3-2-render_text_dos.patch - Patch for 3.2 series
 * 3-1-render_text_dos.patch - Patch for 3.1 series
 * 3-0-render_text_dos.patch - Patch for 3.0 series

Please note that only the 4.0.x and 3.2.x series are supported at present. Users of
earlier unsupported releases are advised to upgrade as soon as possible as we cannot
guarantee the continued availability of security fixes for unsupported releases.

Credits
-------

Thanks to Toby Hsieh of SlideShare for reporting the issue to us and working in
the patch with us.

Comment 1 Swamp Workflow Management 2014-02-18 23:00:49 UTC

bugbot adjusting priority

Comment 2 Swamp Workflow Management 2014-02-19 10:02:18 UTC

The SWAMPID for this issue is 56293.
This issue was rated as moderate.
Please submit fixed packages until 2014-03-05.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 5 Jordi Massaguer 2014-02-19 17:18:22 UTC

this one does no affect 2.3 version since the code affected does not exist in 2.3

Comment 7 Bernhard Wiedemann 2014-02-19 18:01:06 UTC

This is an autogenerated message for OBS integration:
This bug (864431) was mentioned in
https://build.opensuse.org/request/show/223116 12.3 / rubygem-actionpack-3_2
https://build.opensuse.org/request/show/223117 13.1 / rubygem-actionpack-3_2

Comment 10 Bernhard Wiedemann 2014-02-21 12:00:18 UTC

This is an autogenerated message for OBS integration:
This bug (864431) was mentioned in
https://build.opensuse.org/request/show/223357 12.3 / rubygem-actionpack-3_2
https://build.opensuse.org/request/show/223358 13.1 / rubygem-actionpack-3_2

Comment 11 Jordi Massaguer 2014-02-21 15:36:40 UTC

assigning back to security

Comment 13 Bernhard Wiedemann 2014-02-24 17:00:43 UTC

This is an autogenerated message for OBS integration:
This bug (864431) was mentioned in
https://build.opensuse.org/request/show/223722 12.3 / rubygem-actionpack-3_2
https://build.opensuse.org/request/show/223723 13.1 / rubygem-actionpack-3_2

Comment 14 Swamp Workflow Management 2014-02-26 10:04:59 UTC

openSUSE-SU-2014:0295-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 864431,864433
CVE References: CVE-2014-0081,CVE-2014-0082
Sources used:
openSUSE 13.1 (src):    rubygem-actionpack-3_2-3.2.13-2.15.1
openSUSE 12.3 (src):    rubygem-actionpack-3_2-3.2.12-1.19.1

Comment 17 Bernhard Wiedemann 2014-04-14 19:01:15 UTC

This is an autogenerated message for OBS integration:
This bug (864431) was mentioned in
https://build.opensuse.org/request/show/230058 Factory / rubygem-actionpack-3_2

Comment 18 Swamp Workflow Management 2014-06-04 20:54:41 UTC

Update released for: rubygem-actionpack-3_2, rubygem-actionpack-3_2-doc
Products:
SLE-SLMS 1.3 (x86_64)
SLE-STUDIOONSITE 1.3 (x86_64)
SLE-WEBYAST 1.3 (i386, ia64, ppc64, s390x, x86_64)

Comment 19 Swamp Workflow Management 2014-06-05 00:04:25 UTC

SUSE-SU-2014:0756-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 864431,864433,864873,876714
CVE References: CVE-2014-0081,CVE-2014-0082,CVE-2014-0130
Sources used:
WebYaST 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.15.1
SUSE Studio Onsite 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.15.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.15.1

Comment 20 Johannes Segitz 2014-06-17 10:06:52 UTC

all relevant packages were fixed