Bug 864431 - (CVE-2014-0082) CVE-2014-0082: VUL-0: rubygem-rails-3_2: Denial of Service Vulnerability in Action View when using render :text
(CVE-2014-0082)
CVE-2014-0082: VUL-0: rubygem-rails-3_2: Denial of Service Vulnerability in A...
Status: VERIFIED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp2:57536
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-18 16:02 UTC by Victor Pereira
Modified: 2014-06-17 10:06 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch for 3.2 (1.88 KB, patch)
2014-02-18 16:02 UTC, Victor Pereira
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-18 16:02:08 UTC
Created attachment 578968 [details]
patch for 3.2

Denial of Service Vulnerability in Action View when using render :text

There is a denial of service vulnerability in the text rendering component of Action View.

Versions Affected: 3.0.x, 3.1.x, 3.2.x
Not affected: 4.0.x
Fixed Versions: 3.2.17

Impact
------

Strings sent in specially crafted headers will be converted to symbols. This can
cause a denial of service since symbols are not removed by the garbage collector.
All users running an affected release should either upgrade or use one of the work
arounds immediately.

Releases
--------

The FIXED releases are available at the normal locations.

Workarounds
-----------

Users who cannot upgrade may apply this monkey patch as an initializer to work around
the issue:

```
ActiveSupport.on_load(:action_view) do
  ActionView::Template::Text.class_eval do
    def formats
      [@mime_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s]
    end
  end
end
```

Patches
-------

To aid users who aren't able to upgrade immediately we have provided patches for the
supported release series. They are in git-am format and consist of a single changeset.

 * 4-0-render_text_dos.patch - Patch for 4.0 series
 * 3-2-render_text_dos.patch - Patch for 3.2 series
 * 3-1-render_text_dos.patch - Patch for 3.1 series
 * 3-0-render_text_dos.patch - Patch for 3.0 series

Please note that only the 4.0.x and 3.2.x series are supported at present. Users of
earlier unsupported releases are advised to upgrade as soon as possible as we cannot
guarantee the continued availability of security fixes for unsupported releases.

Credits
-------

Thanks to Toby Hsieh of SlideShare for reporting the issue to us and working in
the patch with us.
Comment 1 Swamp Workflow Management 2014-02-18 23:00:49 UTC
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2014-02-19 10:02:18 UTC
The SWAMPID for this issue is 56293.
This issue was rated as moderate.
Please submit fixed packages until 2014-03-05.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 5 Jordi Massaguer 2014-02-19 17:18:22 UTC
this one does no affect 2.3 version since the code affected does not exist in 2.3
Comment 7 Bernhard Wiedemann 2014-02-19 18:01:06 UTC
This is an autogenerated message for OBS integration:
This bug (864431) was mentioned in
https://build.opensuse.org/request/show/223116 12.3 / rubygem-actionpack-3_2
https://build.opensuse.org/request/show/223117 13.1 / rubygem-actionpack-3_2
Comment 10 Bernhard Wiedemann 2014-02-21 12:00:18 UTC
This is an autogenerated message for OBS integration:
This bug (864431) was mentioned in
https://build.opensuse.org/request/show/223357 12.3 / rubygem-actionpack-3_2
https://build.opensuse.org/request/show/223358 13.1 / rubygem-actionpack-3_2
Comment 11 Jordi Massaguer 2014-02-21 15:36:40 UTC
assigning back to security
Comment 13 Bernhard Wiedemann 2014-02-24 17:00:43 UTC
This is an autogenerated message for OBS integration:
This bug (864431) was mentioned in
https://build.opensuse.org/request/show/223722 12.3 / rubygem-actionpack-3_2
https://build.opensuse.org/request/show/223723 13.1 / rubygem-actionpack-3_2
Comment 14 Swamp Workflow Management 2014-02-26 10:04:59 UTC
openSUSE-SU-2014:0295-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 864431,864433
CVE References: CVE-2014-0081,CVE-2014-0082
Sources used:
openSUSE 13.1 (src):    rubygem-actionpack-3_2-3.2.13-2.15.1
openSUSE 12.3 (src):    rubygem-actionpack-3_2-3.2.12-1.19.1
Comment 17 Bernhard Wiedemann 2014-04-14 19:01:15 UTC
This is an autogenerated message for OBS integration:
This bug (864431) was mentioned in
https://build.opensuse.org/request/show/230058 Factory / rubygem-actionpack-3_2
Comment 18 Swamp Workflow Management 2014-06-04 20:54:41 UTC
Update released for: rubygem-actionpack-3_2, rubygem-actionpack-3_2-doc
Products:
SLE-SLMS 1.3 (x86_64)
SLE-STUDIOONSITE 1.3 (x86_64)
SLE-WEBYAST 1.3 (i386, ia64, ppc64, s390x, x86_64)
Comment 19 Swamp Workflow Management 2014-06-05 00:04:25 UTC
SUSE-SU-2014:0756-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 864431,864433,864873,876714
CVE References: CVE-2014-0081,CVE-2014-0082,CVE-2014-0130
Sources used:
WebYaST 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.15.1
SUSE Studio Onsite 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.15.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.15.1
Comment 20 Johannes Segitz 2014-06-17 10:06:52 UTC
all relevant packages were fixed