Fix CVE-2013-4287, remove regexp backtracking

drbrain · drbrain · commit ed733bc379d7 · 2013-09-09T16:10:33.000-07:00
The Gem::Version regexp used backtracking to validate gem versions. This could cause excessive CPU usage when creating Gem::Version objects including when packaging gems. See CVE-2013-4287.txt (in this commit) for details. Fixes #626
diff --git a/CVE-2013-4287.txt b/CVE-2013-4287.txt
@@ -0,0 +1,36 @@
+= Algorithmic complexity vulnerability in RubyGems 2.0.7 and older
+
+RubyGems validates versions with a regular expression that is vulnerable to
+denial of service due to a backtracking regular expression.  For specially
+crafted RubyGems versions attackers can cause denial of service through CPU
+consumption.
+
+RubyGems versions 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2 are vulnerable.
+
+Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
+versions of RubyGems.
+
+It does not appear to be possible to exploit this vulnerability by installing a
+gem for RubyGems 1.8.x or 2.0.x.  Vulnerable uses of RubyGems API include
+packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
+sending user input to Gem::Version.new, Gem::Version.correct? or use of the
+Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
+constants.
+
+Notably, users of bundler that install gems from git are vulnerable if a
+malicious author changes the gemspec to an invalid version.
+
+The vulnerability can be fixed by changing the first grouping to an atomic
+grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb.  For
+RubyGems 2.0.x:
+
+  -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
+  +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
+
+For RubyGems 1.8.x:
+
+  -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
+  +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
+
+This vulnerability was discovered by Damir Sharipov <dammer2k@gmail.com>
+
diff --git a/History.txt b/History.txt
@@ -2,6 +2,13 @@
 
 === 1.8.26
 
+Security fixes:
+
+* RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a
+  backtracking in Gem::Version validation.  See CVE-2013-4287 for full details
+  including vulnerable APIs.  Fixed versions include 2.0.8, 1.8.26 and
+  1.8.23.1 (for Ruby 1.9.3).  Issue #626 by Damir Sharipov.
+
 Bug fixes:
 
 * Fixed editing of a Makefile with 8-bit characters.  Fixes #181
diff --git a/Manifest.txt b/Manifest.txt
@@ -1,5 +1,6 @@
 .autotest
 .document
+CVE-2013-4287.txt
 History.txt
 LICENSE.txt
 MIT.txt
diff --git a/Rakefile b/Rakefile
@@ -53,7 +53,9 @@ hoe = Hoe.spec 'rubygems-update' do
   extra_dev_deps << ['rcov', '~> 0.9.0']
   extra_dev_deps << ['ZenTest', '~> 4.5']
 
-  self.extra_rdoc_files = Dir["*.rdoc"]
+  self.extra_rdoc_files = Dir["*.rdoc"] + %w[
+    CVE-2013-4287.txt
+  ]
 
   spec_extras['rdoc_options'] = proc do |rdoc_options|
     rdoc_options << "--title=RubyGems #{self.version} Documentation"
diff --git a/lib/rubygems/version.rb b/lib/rubygems/version.rb
@@ -145,7 +145,7 @@ class Gem::Version
 
   include Comparable
 
-  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
+  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
   ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
 
   ##
