Bug 963335 - (CVE-2015-7581) VUL-0: CVE-2015-7581: rubygem-actionpack: unbounded memory growth DoS via wildcard controller routes
(CVE-2015-7581)
VUL-0: CVE-2015-7581: rubygem-actionpack: unbounded memory growth DoS via wil...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2015-7581:4.3:(AV:N/A...
:
Depends on:
Blocks: 963624 963625
  Show dependency treegraph
 
Reported: 2016-01-23 22:13 UTC by Andreas Stieger
Modified: 2017-09-11 16:05 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
4-2-wildcard_route.patch (1.71 KB, patch)
2016-01-23 22:14 UTC, Andreas Stieger
Details | Diff
4-1-wildcard_route.patch (1.77 KB, patch)
2016-01-23 22:14 UTC, Andreas Stieger
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-01-23 22:13:40 UTC
EMBARGOED via distros
CRD: 2016-01-25

Object leak vulnerability for wildcard controller routes in Action Pack

There is an object leak vulnerability for wildcard controllers in Action Pack.
This vulnerability has been assigned the CVE identifier CVE-2015-7581.

Versions Affected:  >= 4.0.0 and < 5.0.0.beta1
Not affected:       < 4.0.0, 5.0.0.beta1 and newer
Fixed Versions:     4.2.5.1, 4.1.14.1

Impact
------
Users that have a route that contains the string ":controller" are susceptible
to objects being leaked globally which can lead to unbounded memory growth.
To identify if your application is vulnerable, look for routes that contain
":controller".

Internally, Action Pack keeps a map of "url controller name" to "controller
class name".  This map is cached globally, and is populated even if the
controller class doesn't actually exist.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset.

* 4-1-wildcard_route.patch - Patch for 4.1 series
* 4-2-wildcard_route.patch - Patch for 4.2 series

Please note that only the 4.1.x and 4.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Comment 1 Andreas Stieger 2016-01-23 22:14:00 UTC
Created attachment 662996 [details]
4-2-wildcard_route.patch
Comment 2 Andreas Stieger 2016-01-23 22:14:14 UTC
Created attachment 662997 [details]
4-1-wildcard_route.patch
Comment 3 Swamp Workflow Management 2016-01-23 23:01:36 UTC
bugbot adjusting priority
Comment 4 Andreas Stieger 2016-01-26 07:31:37 UTC
public via http://seclists.org/oss-sec/2016/q1/209
Comment 5 Jordi Massaguer 2016-01-26 17:32:54 UTC
to sum up, we need to update:

Package                   |Repo (Products)
------------------------------------------------------------------------------

rubygem-actionpack-4_2:    SUSE:SLE-12:Update (Portus build dependency)
rubygem-actionpack-4_1:    SUSE:SLE-11-SP3:Update:Cloud5:Test:Update (CLOUD5)
rubygem-actionpack-3_2:    SUSE:SLE-11-SP2:Update (SLMS, WEBYAST and STUDIO*)

Portus**:                  SUSE:SLE-12:Update 
Studio***:                 SUSE:SLE-11-SP2:Update


(*) rubygem-actionpack-3_2 rpm in studio is actually the webyast dependency. WebYast is installed on the studio onsite product and depends on that RPM. Studio also bundles the gem, but that is a different story.

(**) It is build dependencies for Portus, so that we need to rebuild the package and release it

(***)Studio it, so the patches need to be ported and the rpm rebuild.
Comment 6 Jordi Massaguer 2016-01-26 17:34:24 UTC
Sorry I misread the first comment, the rpms that need to be updated are:

Package                   |Repo (Products)
------------------------------------------------------------------------------

rubygem-actionpack-4_2:    SUSE:SLE-12:Update (Portus build dependency)
rubygem-actionpack-4_1:    SUSE:SLE-11-SP3:Update:Cloud5:Test:Update (CLOUD5)

Portus**:                  SUSE:SLE-12:Update 


(**) It is build dependencies for Portus, so that we need to rebuild the package and release it
Comment 7 Jordi Massaguer 2016-01-26 17:45:44 UTC
Portus and studio bugs

963624 963625
Comment 11 Bernhard Wiedemann 2016-01-27 16:00:35 UTC
This is an autogenerated message for OBS integration:
This bug (963335) was mentioned in
https://build.opensuse.org/request/show/356307 42.1 / rubygem-actionpack-4_2
Comment 12 Jordi Massaguer 2016-01-28 09:10:20 UTC
All submissions done. Assigning to security-team.
Comment 13 Swamp Workflow Management 2016-02-07 19:18:39 UTC
openSUSE-SU-2016:0372-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963330,963331,963332,963334,963335
CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753
Sources used:
openSUSE Leap 42.1 (src):    rubygem-actionpack-4_2-4.2.4-6.1, rubygem-actionview-4_2-4.2.4-6.1, rubygem-activemodel-4_2-4.2.4-6.1, rubygem-activerecord-4_2-4.2.4-6.1, rubygem-activesupport-4_2-4.2.4-6.1
Comment 14 Swamp Workflow Management 2016-02-15 17:13:12 UTC
SUSE-SU-2016:0457-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963331,963332,963335
CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752
Sources used:
SUSE Enterprise Storage 2.1 (src):    rubygem-actionpack-4_2-4.2.2-6.1
Comment 15 Marcus Meissner 2016-03-22 15:48:15 UTC
released
Comment 16 Swamp Workflow Management 2016-03-22 20:09:21 UTC
SUSE-SU-2016:0858-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963331,963332,963335
CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752
Sources used:
SUSE OpenStack Cloud 5 (src):    rubygem-actionpack-4_1-4.1.9-9.1