Bug 201061

Summary: security/vuxml: document devel/rubygem-bson CVE-2015-4412 in already fixed port
Product: Ports & Packages Reporter: Jason Unovitch <junovitch>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Some People CC: delphij, ports-secteam, ruby
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
security/vuxml entry for CVE-2015-4412 in devel/rubygem-bson none

Description Jason Unovitch freebsd_committer freebsd_triage 2015-06-22 23:39:38 UTC 
Created attachment 157999 [details]
security/vuxml entry for CVE-2015-4412 in devel/rubygem-bson

I observed this on the oss-security mailing list.  sunpoet@ had already updated the port at the time.  Play catch up now with documentation of the issue.

My only comment up front is Mitre assigned 3 CVE's in the email but only one of them is in the rubygem-bson repository.  That is CVE-2015-4412.  My research shows the other issues are in other code bases and as such I have not documented it in the attached patch.

== Research details:

Per Mitre:
"CVE-2015-4412 is for the durran 2013-04-07 commit in which the
\A\h{24}\Z regular expression was changed to the ^[0-9a-f]{24}$
regular expression."

I confirmed that was introduced here:
https://github.com/mongodb/bson-ruby/commit/21141c78d99f23d5f34d32010557ef19d0f77203

The other two CVE's are not in the rubygem-bson repository.  The rubygem-bson git repository starts at 2012-09-14 .  The Mitre cve-assignment documents these for bugs introduced on 2012-01-23 and 2012-04-17.  Red Hat, for example, is documenting these as being for rubygem-moped which is not in FreeBSD ports.

https://access.redhat.com/security/cve/CVE-2015-4410
https://access.redhat.com/security/cve/CVE-2015-4411

== VALIDATION:

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit rubygem-bson-3.0.3
rubygem-bson-3.0.3 is vulnerable:
rubygem-bson -- DoS and possible injection
CVE: CVE-2015-4412
WWW: https://vuxml.FreeBSD.org/freebsd/f5225b23-192d-11e5-a1cf-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit rubygem-bson-3.0.4
0 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit rubygem-bson-3.1.0
0 problem(s) in the installed packages found.
Comment 1 commit-hook freebsd_committer freebsd_triage 2015-06-23 00:14:25 UTC 
A commit references this bug:

Author: delphij
Date: Tue Jun 23 00:13:59 UTC 2015
New revision: 390347
URL: https://svnweb.freebsd.org/changeset/ports/390347

Log:
  Document rubygem-bson DoS and possible injection vulnerability.

  PR:		201061
  Submitted by:	Jason Unovitch

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Xin LI freebsd_committer freebsd_triage 2015-06-23 00:14:51 UTC 
Committed, thanks!