Bugzilla – Bug 934800
VUL-1: CVE-2015-3227: rubygem-activesupport: Possible Denial of Service attack in Active Support
Last modified: 2017-09-11 16:03:33 UTC
EMBARGOED CRD: 2015-06-16 Possible Denial of Service attack in Active Support There is a possible denial of service attack in the XML processing in Active Support. This vulnerability has been assigned the CVE identifier CVE-2015-3227. Versions Affected: All. Not affected: None. Fixed Versions: 4.2.2, 4.1.11 Impact ------ Specially crafted XML documents can cause applications to raise a `SystemStackError` and potentially cause a denial of service attack. This only impacts applications using REXML or JDOM as their XML processor. Other XML processors that Rails supports are not impacted. All users running an affected release should either upgrade or use one of the work arounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- Use an XML parser that is not impacted by this problem, such as Nokogiri or LibXML. You can change the processor like this: ActiveSupport::XmlMini.backend = 'Nokogiri' If you cannot change XML parsers, then adjust `RUBY_THREAD_MACHINE_STACK_SIZE`. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 4-2-xml_depth.patch - Patch for 4.2 series * 4-1-xml_depth.patch - Patch for 4.1 series * 3-2-xml_depth.patch - Patch for 3.2 series Please note that only the 4.2.x and 4.1.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Tomek Rabczak from the NCC Group, and Matthew Draper for reporting this issue.
bugbot adjusting priority
public
openSUSE:13.1 rubygem-activesupport-3_2 openSUSE:13.2 rubygem-activesupport-3_2 openSUSE:Factory rubygem-activesupport-4_2 in devel project: devel:languages:ruby:extensions rubygem-activesupport-2_3 devel:languages:ruby:extensions rubygem-activesupport-3_2 devel:languages:ruby:extensions rubygem-activesupport-4_1 devel:languages:ruby:extensions rubygem-activesupport-4_2
activesupport 4.2.3 is already in Factory which contains the fix. The same for devel:languages:ruby:extensions
Created attachment 640104 [details] test code run "ruby.ruby2.1 test2.rb" if the version has been patched, you'll get an error of type The document is too deep (REXML::ParseException) This is what you expect since the default deep is 100. With the unpatched version, you won't get any error because there is no deep checking, which is what could cause the denial of service.
This is an autogenerated message for OBS integration: This bug (934800) was mentioned in https://build.opensuse.org/request/show/315482 13.2+13.1 / rubygem-activesupport-3_2 https://build.opensuse.org/request/show/315483 13.2+13.1 / rubygem-activesupport-3_2 https://build.opensuse.org/request/show/315484 13.2+13.1 / rubygem-activesupport-3_2
openSUSE-SU-2015:1279-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 934800 CVE References: CVE-2015-3227 Sources used: openSUSE 13.2 (src): rubygem-activesupport-3_2-3.2.17-2.3.1 openSUSE 13.1 (src): rubygem-activesupport-3_2-3.2.13-3.17.1
*** Bug 934875 has been marked as a duplicate of this bug. ***
Sorry, I have wrongly marked another bug duplicate of this bug. Sorry for the inconvenience.
SUSE-SU-2016:0047-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 934800 CVE References: CVE-2015-3227 Sources used: SUSE Webyast 1.3 (src): rubygem-activesupport-3_2-3.2.12-0.14.3 SUSE Studio Onsite 1.3 (src): rubygem-activesupport-3_2-3.2.12-0.14.3 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): rubygem-activesupport-3_2-3.2.12-0.14.3 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): rubygem-activesupport-3_2-3.2.12-0.14.3 SUSE Lifecycle Management Server 1.3 (src): rubygem-activesupport-3_2-3.2.12-0.14.3
Releasing rubygem-activesupport-4_1 for SUSE-CLOUD-5, closing
SUSE-SU-2016:0082-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 934799,934800 CVE References: CVE-2015-3226,CVE-2015-3227 Sources used: SUSE OpenStack Cloud 5 (src): rubygem-activesupport-4_1-4.1.9-9.2