Bug 963331 - (CVE-2016-0751) VUL-1: CVE-2016-0751: rubygem-actionpack: Object Leak DoS
(CVE-2016-0751)
VUL-1: CVE-2016-0751: rubygem-actionpack: Object Leak DoS
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-0751:4.3:(AV:N...
:
Depends on:
Blocks: 963626 963627
  Show dependency treegraph
 
Reported: 2016-01-23 21:35 UTC by Andreas Stieger
Modified: 2017-09-11 16:04 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
5-0-mime_types_leak.patch (1.95 KB, patch)
2016-01-23 21:36 UTC, Andreas Stieger
Details | Diff
4-2-mime_types_leak.patch (1.94 KB, patch)
2016-01-23 21:36 UTC, Andreas Stieger
Details | Diff
4-1-mime_types_leak.patch (1.94 KB, patch)
2016-01-23 21:36 UTC, Andreas Stieger
Details | Diff
3-2-mime_types_leak.patch (2.08 KB, patch)
2016-01-23 21:36 UTC, Andreas Stieger
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-01-23 21:35:50 UTC
EMBARGOED via distros
CRD: 2016-01-25

Possible Object Leak and Denial of Service attack in Action Pack

There is a possible object leak which can lead to a denial of service
vulnerability in Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2016-0751.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1

Impact
------
A carefully crafted accept header can cause a global cache of mime types to
grow indefinitely which can lead to a possible denial of service attack in
Action Pack.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
This attack can be mitigated by a proxy that only allows known mime types in
the Accept header.

Placing the following code in an initializer will also mitigate the issue:

```ruby
require 'action_dispatch/http/mime_type'

Mime.const_set :LOOKUP, Hash.new { |h,k|
  Mime::Type.new(k) unless k.blank?
}
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 5-0-mime_types_leak.patch - Patch for 5.0 series
* 4-2-mime_types_leak.patch - Patch for 4.2 series
* 4-1-mime_types_leak.patch - Patch for 4.1 series
* 3-2-mime_types_leak.patch - Patch for 3.2 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.

Credits
-------
Aaron Patterson <3<3
Comment 1 Andreas Stieger 2016-01-23 21:36:12 UTC
Created attachment 662985 [details]
5-0-mime_types_leak.patch
Comment 2 Andreas Stieger 2016-01-23 21:36:28 UTC
Created attachment 662986 [details]
4-2-mime_types_leak.patch
Comment 3 Andreas Stieger 2016-01-23 21:36:41 UTC
Created attachment 662987 [details]
4-1-mime_types_leak.patch
Comment 4 Andreas Stieger 2016-01-23 21:36:55 UTC
Created attachment 662988 [details]
3-2-mime_types_leak.patch
Comment 5 Swamp Workflow Management 2016-01-23 23:01:09 UTC
bugbot adjusting priority
Comment 6 Andreas Stieger 2016-01-26 07:22:21 UTC
public at http://seclists.org/oss-sec/2016/q1/202
Comment 7 Jordi Massaguer 2016-01-26 17:33:15 UTC

Package                   |Repo (Products)
------------------------------------------------------------------------------

rubygem-actionpack-4_2:    SUSE:SLE-12:Update (Portus build dependency)
rubygem-actionpack-4_1:    SUSE:SLE-11-SP3:Update:Cloud5:Test:Update (CLOUD5)
rubygem-actionpack-3_2:    SUSE:SLE-11-SP2:Update (SLMS, WEBYAST and STUDIO*)

Portus**:                  SUSE:SLE-12:Update 
Studio***:                 SUSE:SLE-11-SP2:Update


(*) rubygem-actionpack-3_2 rpm in studio is actually the webyast dependency. WebYast is installed on the studio onsite product and depends on that RPM. Studio also bundles the gem, but that is a different story.

(**) It is build dependencies for Portus, so that we need to rebuild the package and release it

(***)Studio it, so the patches need to be ported and the rpm rebuild.
Comment 8 Jordi Massaguer 2016-01-26 17:46:01 UTC
Portus and studio bugs

963626 963627
Comment 12 Bernhard Wiedemann 2016-01-27 16:00:24 UTC
This is an autogenerated message for OBS integration:
This bug (963331) was mentioned in
https://build.opensuse.org/request/show/356307 42.1 / rubygem-actionpack-4_2
Comment 13 Bernhard Wiedemann 2016-01-27 17:00:33 UTC
This is an autogenerated message for OBS integration:
This bug (963331) was mentioned in
https://build.opensuse.org/request/show/356315 13.2 / rubygem-actionpack-3_2
Comment 14 Jordi Massaguer 2016-01-28 09:04:04 UTC
all submissions have been done. Assigning to security team.
Comment 15 Swamp Workflow Management 2016-02-07 19:13:23 UTC
openSUSE-SU-2016:0363-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963330,963331,963332
CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2016-0751,CVE-2016-0752
Sources used:
openSUSE 13.2 (src):    rubygem-actionpack-3_2-3.2.17-3.7.1, rubygem-activerecord-3_2-3.2.17-3.3.1, rubygem-activesupport-3_2-3.2.17-2.6.1
Comment 16 Swamp Workflow Management 2016-02-07 19:18:05 UTC
openSUSE-SU-2016:0372-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963330,963331,963332,963334,963335
CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753
Sources used:
openSUSE Leap 42.1 (src):    rubygem-actionpack-4_2-4.2.4-6.1, rubygem-actionview-4_2-4.2.4-6.1, rubygem-activemodel-4_2-4.2.4-6.1, rubygem-activerecord-4_2-4.2.4-6.1, rubygem-activesupport-4_2-4.2.4-6.1
Comment 17 Swamp Workflow Management 2016-02-15 17:12:51 UTC
SUSE-SU-2016:0457-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963331,963332,963335
CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752
Sources used:
SUSE Enterprise Storage 2.1 (src):    rubygem-actionpack-4_2-4.2.2-6.1
Comment 18 Swamp Workflow Management 2016-03-01 17:15:08 UTC
SUSE-SU-2016:0618-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963331,963332
CVE References: CVE-2015-7576,CVE-2016-0751,CVE-2016-0752
Sources used:
SUSE Webyast 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.23.1
SUSE Studio Onsite 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.23.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    rubygem-actionpack-3_2-3.2.12-0.23.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.23.1
Comment 19 Marcus Meissner 2016-03-22 15:47:47 UTC
released
Comment 20 Swamp Workflow Management 2016-03-22 20:09:00 UTC
SUSE-SU-2016:0858-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963331,963332,963335
CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752
Sources used:
SUSE OpenStack Cloud 5 (src):    rubygem-actionpack-4_1-4.1.9-9.1