[Secure-testing-team] Bug#787951: ruby-bson: CVE-2015-4410: DoS and possible injection
Salvatore Bonaccorso
carnil at debian.org
Sat Jun 6 19:50:28 UTC 2015
Source: ruby-bson
Version: 1.10.0-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for ruby-bson.
CVE-2015-4410[0]:
DoS and possible injection
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-4410
[1] http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
[2] http://www.openwall.com/lists/oss-security/2015/06/06/3
It can be checked e.g. via:
$ cat CVE-2015-4410.rb
require 'bson'
b=BSON::ObjectId
raise "DoS!" if b.legal? "a"*24+"\n"
raise "Injection!" if b.legal? "a"*24+"\na"
$ BSON_EXT_DISABLED=1 ruby CVE-2015-4410.rb
** Notice: The native BSON extension was not loaded. **
For optimal performance, use of the BSON extension is recommended.
To enable the extension make sure ENV['BSON_EXT_DISABLED'] is not set
and run the following command:
gem install bson_ext
If you continue to receive this message after installing, make sure that
the bson_ext gem is in your load path.
CVE-2015-4410.rb:3:in `<main>': DoS! (RuntimeError)
Regards,
Salvatore
More information about the Secure-testing-team
mailing list