201061 – security/vuxml: document devel/rubygem-bson CVE-2015-4412 in already fixed port

Bug 201061 - security/vuxml: document devel/rubygem-bson CVE-2015-4412 in already fixed port

Summary: security/vuxml: document devel/rubygem-bson CVE-2015-4412 in already fixed port

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-ports-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-06-22 23:39 UTC by Jason Unovitch
Modified:	2015-06-23 00:14 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
security/vuxml entry for CVE-2015-4412 in devel/rubygem-bson (1.47 KB, patch) 2015-06-22 23:39 UTC, Jason Unovitch	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jason Unovitch freebsd_committer

2015-06-22 23:39:38 UTC

Created attachment 157999 [details]
security/vuxml entry for CVE-2015-4412 in devel/rubygem-bson

I observed this on the oss-security mailing list.  sunpoet@ had already updated the port at the time.  Play catch up now with documentation of the issue.

My only comment up front is Mitre assigned 3 CVE's in the email but only one of them is in the rubygem-bson repository.  That is CVE-2015-4412.  My research shows the other issues are in other code bases and as such I have not documented it in the attached patch.

== Research details:

Per Mitre:
"CVE-2015-4412 is for the durran 2013-04-07 commit in which the
\A\h{24}\Z regular expression was changed to the ^[0-9a-f]{24}$
regular expression."

I confirmed that was introduced here:
https://github.com/mongodb/bson-ruby/commit/21141c78d99f23d5f34d32010557ef19d0f77203

The other two CVE's are not in the rubygem-bson repository.  The rubygem-bson git repository starts at 2012-09-14 .  The Mitre cve-assignment documents these for bugs introduced on 2012-01-23 and 2012-04-17.  Red Hat, for example, is documenting these as being for rubygem-moped which is not in FreeBSD ports.

https://access.redhat.com/security/cve/CVE-2015-4410
https://access.redhat.com/security/cve/CVE-2015-4411

== VALIDATION:

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit rubygem-bson-3.0.3
rubygem-bson-3.0.3 is vulnerable:
rubygem-bson -- DoS and possible injection
CVE: CVE-2015-4412
WWW: https://vuxml.FreeBSD.org/freebsd/f5225b23-192d-11e5-a1cf-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit rubygem-bson-3.0.4
0 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit rubygem-bson-3.1.0
0 problem(s) in the installed packages found.

Comment 1 commit-hook freebsd_committer

2015-06-23 00:14:25 UTC

A commit references this bug:

Author: delphij
Date: Tue Jun 23 00:13:59 UTC 2015
New revision: 390347
URL: https://svnweb.freebsd.org/changeset/ports/390347

Log:
  Document rubygem-bson DoS and possible injection vulnerability.

  PR:		201061
  Submitted by:	Jason Unovitch

Changes:
  head/security/vuxml/vuln.xml

Comment 2 Xin LI freebsd_committer

2015-06-23 00:14:51 UTC

Committed, thanks!