Debian Bug report logs -
#787951
ruby-bson: CVE-2015-4410: DoS and possible injection
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 6 Jun 2015 19:54:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version ruby-bson/1.10.0-1
Fixed in versions ruby-bson/1.10.0-2, ruby-bson/1.10.0-1+deb8u1
Done: Prach Pongpanich <prachpub@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#787951; Package src:ruby-bson.
(Sat, 06 Jun 2015 19:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sat, 06 Jun 2015 19:54:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-bson
Version: 1.10.0-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for ruby-bson.
CVE-2015-4410[0]:
DoS and possible injection
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-4410
[1] http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
[2] http://www.openwall.com/lists/oss-security/2015/06/06/3
It can be checked e.g. via:
$ cat CVE-2015-4410.rb
require 'bson'
b=BSON::ObjectId
raise "DoS!" if b.legal? "a"*24+"\n"
raise "Injection!" if b.legal? "a"*24+"\na"
$ BSON_EXT_DISABLED=1 ruby CVE-2015-4410.rb
** Notice: The native BSON extension was not loaded. **
For optimal performance, use of the BSON extension is recommended.
To enable the extension make sure ENV['BSON_EXT_DISABLED'] is not set
and run the following command:
gem install bson_ext
If you continue to receive this message after installing, make sure that
the bson_ext gem is in your load path.
CVE-2015-4410.rb:3:in `<main>': DoS! (RuntimeError)
Regards,
Salvatore
Reply sent
to Prach Pongpanich <prachpub@gmail.com>:
You have taken responsibility.
(Sun, 15 Nov 2015 07:12:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 15 Nov 2015 07:12:05 GMT) (full text, mbox, link).
Message #10 received at 787951-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-bson
Source-Version: 1.10.0-2
We believe that the bug you reported is fixed in the latest version of
ruby-bson, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 787951@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Prach Pongpanich <prachpub@gmail.com> (supplier of updated ruby-bson package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 15 Nov 2015 12:15:48 +0700
Source: ruby-bson
Binary: ruby-bson
Architecture: source all
Version: 1.10.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Prach Pongpanich <prachpub@gmail.com>
Description:
ruby-bson - Ruby implementation of BSON
Closes: 787951
Changes:
ruby-bson (1.10.0-2) unstable; urgency=medium
.
* Fix CVE-2015-4410: DoS and possible injection (Closes: #787951)
Checksums-Sha1:
0410e1ddeca962f523ea29912555bf513cfbfa69 2088 ruby-bson_1.10.0-2.dsc
1b328cb9409252a92bef19068b5e90e804c6d116 5740 ruby-bson_1.10.0-2.debian.tar.xz
930e62cc900daaf9dab1ff9fc96ee8623a63fba0 19042 ruby-bson_1.10.0-2_all.deb
Checksums-Sha256:
979c592fbe617cc6bf0220a107f825b7a653543157177d21eb41d3c9b92f2d88 2088 ruby-bson_1.10.0-2.dsc
70329b057f2829c54af6b76686a33f8fef9ae36c09a72835dfa46ce69231244c 5740 ruby-bson_1.10.0-2.debian.tar.xz
fcf3b762c004df94da2a2c757f6e9a6c4d922aa459b6b24a8aa2739f632599cf 19042 ruby-bson_1.10.0-2_all.deb
Files:
0eae913f6110c4d281d0908d7d2b11d2 2088 ruby optional ruby-bson_1.10.0-2.dsc
22892664d76e4176e7e6454c3eb81541 5740 ruby optional ruby-bson_1.10.0-2.debian.tar.xz
a67cd62778dbc195ded5aed51b6eaef7 19042 ruby optional ruby-bson_1.10.0-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWSCuhAAoJEDkJHoEjzhwJVSQQANYfbUtJY5icFNufmU5z0Gvq
+mW11hF/SWwcozBBZK3TG5hKrBXwE6Nswv6ZO/e/Cljn4y20pJOy2vigKxsfsgVY
fvC84VFEXPOlZ6a52qYnrTYChddqESkd7x7z3fYedcB25aErLRxs1VA9a+hsNjmE
Bf4SB3915/o3J5ANm3ZZa+X9Ydj/Jhk18NuNNV9t2JbdpdFFzoBpZMek3yFjFSca
iQDl4rlpI0HMpgcqGRpIk6+wxVAOLTo/BxG9hQL2SAQXYKY049mhzj++wXRN1sDH
wOrCdjmihxBgxK4wuJJX+bUu6OH5iIiwd7P/fD9PFtM1VGyr6jLkvfyg+H0IeV6s
B/ZVKC0CqHdGPXEI+1WWjXz+mE9h4Q1XCffCfm0ZVLv0+V6yk/o3AasTcoHyxCqv
ACnBCz4GoJS4wVMYc/Php9fe+gtKoJYAmcib+5koRNN88ui6at+0WEtccZMzU3un
sYEuyaaXAGVl9O0F1q8C7kWPmcIqnk/3Tv8bFuj38A3HDY4in8r28QkUF2QFe8Nj
K9OOH+W0RTLQmTjWMJ6PNdXetn9eitEhw7+d7ihq6IyC04OiyzzWZtaqfUE3xEmI
xv3EEgMc2zVHdt3GC4ieLOPAjSw75v4wVIh4kqc8drqDbJLue5L8UrHIy5wnLpTr
FCAjs+PGpT6le7NYABCX
=b18i
-----END PGP SIGNATURE-----
Reply sent
to Prach Pongpanich <prachpub@gmail.com>:
You have taken responsibility.
(Thu, 19 Nov 2015 19:57:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 19 Nov 2015 19:57:16 GMT) (full text, mbox, link).
Message #15 received at 787951-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-bson
Source-Version: 1.10.0-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
ruby-bson, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 787951@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Prach Pongpanich <prachpub@gmail.com> (supplier of updated ruby-bson package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Nov 2015 08:55:51 +0700
Source: ruby-bson
Binary: ruby-bson
Architecture: source all
Version: 1.10.0-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Prach Pongpanich <prachpub@gmail.com>
Description:
ruby-bson - Ruby implementation of BSON
Closes: 787951
Changes:
ruby-bson (1.10.0-1+deb8u1) jessie; urgency=medium
.
* Fix CVE-2015-4410: DoS and possible injection (Closes: #787951)
Checksums-Sha1:
9be404d221f11586f4682d94eab11d0f45145ebd 2116 ruby-bson_1.10.0-1+deb8u1.dsc
74bc5c0983a2acfd449b0c5237aeeccfa5332780 5808 ruby-bson_1.10.0-1+deb8u1.debian.tar.xz
1da992e9c15b001455f3d24beafd7d8b377ebb1c 19120 ruby-bson_1.10.0-1+deb8u1_all.deb
Checksums-Sha256:
81188758e096bd789bda902ca9aa095260fe0382cd4a1d4dcb0c6f020a9adf70 2116 ruby-bson_1.10.0-1+deb8u1.dsc
d15f801c5885ca21718d9f58f382bc582c664f732f8d6a26afc2484a90cfac99 5808 ruby-bson_1.10.0-1+deb8u1.debian.tar.xz
dd496fedd22a733ad3708666a724f8a8595e08a0c53139dc3e4397e14fb3baf9 19120 ruby-bson_1.10.0-1+deb8u1_all.deb
Files:
80337bd3f74f104a7e726f0e513346dd 2116 ruby optional ruby-bson_1.10.0-1+deb8u1.dsc
9450023eea7097a0ca87ea87526445b3 5808 ruby optional ruby-bson_1.10.0-1+deb8u1.debian.tar.xz
a469aeae6f58a4a8b72aaf7a56332297 19120 ruby optional ruby-bson_1.10.0-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWTIuYAAoJEDkJHoEjzhwJkS8QAJeUwZz6yP9KyZX97Cz8nf0F
zWD+F8MwryP6PDYcrPWIpvzkIbjzCKORAvkIGhLAbq5DcTum0wg9KKVa40wLJ6ms
+ocmzxW+uY64E0YZPPlwBO/gWwljBEcPabdHOdhpWkoE3SoQZSPRBgU8LFQLa5Yy
HReH6Vrgr1P2sNuBTsvmCHuwpbv7jhE930Eu/AfzqTXqklBfld+05QYr2ysSAVIU
UDwedu3cbdoJsteYX4uFv0BriLphWVDMAqkxmELmEF51bYP1bNRTxhFTFzc59GIi
XpBzETclluCMTsXLywcPdmVaVXwqBFMw+1S0SnBshYzXbTH0hfYz5IeO3i9AR1dz
3N0QlKkScdWYNuGKHTiEb7yYma49cFvT2yp4Z+iGUFggpB6Jn4O/Bzlh8SIUnyzV
EUsYQwjV+T+QsgQDlofTIybdxq7FLHh9GW5iJkwaSBw6+y7T3B/gimHIKo+6c7n5
IW9LH9LuQyqWs8NwtDVZ68ymWxqYSSdwP7ygeIwLrWnzMojTzTPfvEZvAmbL8bQv
KqAI708oJyngA/UYhayRiVGTo//w5qvjAkETOzw/MXKVObwIhqkTwr23he3ogbzW
jBATSnlQ1q7RmFOoYsHjdoYDT2vQAep+qt28A87Iu9fucesPGqjMEnky/J98290S
Ut1a5/JNbYIc+kvi667w
=rtJn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 18 Dec 2015 07:28:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:30:11 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon