Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat,  6 Jun 2015 12:03:50 -0400 (EDT)
Subject: Re: CVE Request: bson-ruby DoS and possible injection

Hash: SHA1


As far as we can tell, this requires three CVE IDs because there were
three independent mistakes.

CVE-2015-4410 is for original 2012-01-23 implementation of legal?
using the ^[0-9a-f]{24}$ regular expression.

CVE-2015-4411 is for the bernerdschaefer 2012-04-17 commit in which
legal? began using the \A\h{24}\Z regular expression. The
mongo_ruby_regexp.html blog post describes this as "proper" but later
explains that it was problematic, in at least one context, because of
a minor DoS that would have been avoided if the correct \A\h{24}\z
(lowercase 'z') had been used instead.

CVE-2015-4412 is for the durran 2013-04-07 commit in which the
\A\h{24}\Z regular expression was changed to the ^[0-9a-f]{24}$
regular expression.

The copying of the original ^[0-9a-f]{24}$ mistake from Moped::BSON to
one or more other codebases doesn't require additional CVE IDs.

Similarly, the copying of the \A\h{24}\Z mistake or the second
^[0-9a-f]{24}$ mistake to one or more other codebases doesn't require
additional CVE IDs. (It's quite possible that no such copying ever

The claim in

  Regexp are just like cars - they should work as same and similar as
  it's possible. Breaking standard behavior by purpose and telling
  people "It's not a bug, it's a feature" looks so disgusting to me.
  It's not a feature, it's a vulnerability.

is not accepted as a Ruby vulnerability by the CVE project. There is
no CVE ID for the observation that Ruby regular-expression semantics
can be considered different from regular-expression semantics seen

If there are other products (that otherwise qualify for CVE IDs) with
incorrect and security-relevant uses of ^$ in Ruby code, then there
can be additional CVE IDs for each independent codebase. For example,
referring to the "Showcases time" section of the
saferweb-injects-in-various-ruby.html page, there can't be a CVE ID
for (because it could be site-specific code) but there
could be a CVE ID if the issue affected a 2012 version (if one
existed) of the GitHub Enterprise product.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ