Ubuntu
libopenid-ruby package

XML denial of service vulnerability

Bug #1190491 reported by Christian Kuersteiner
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libopenid-ruby (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned
Quantal
Invalid
Undecided
Unassigned
Raring
Invalid
Undecided
Unassigned
Saucy
Invalid
Undecided
Unassigned
ruby-openid (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
Quantal
Fix Released
Medium
Unassigned
Raring
Fix Released
Undecided
Unassigned
Saucy
Fix Released
Undecided
Unassigned

Bug Description

libopenid-ruby is affected by a XML denial of service (Entity Expansion Attack / out of memory) attack.

See: https://github.com/openid/ruby-openid/pull/43

Patch:
https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed

Christian Kuersteiner (ckuerste)
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in ruby-openid (Ubuntu Lucid):
status: New → Invalid
Changed in ruby-openid (Ubuntu Precise):
status: New → Invalid
Changed in ruby-openid (Ubuntu Raring):
status: New → Fix Released
Changed in ruby-openid (Ubuntu Saucy):
status: New → Fix Released
Changed in ruby-openid (Ubuntu Quantal):
importance: Undecided → Medium
status: New → Confirmed
Changed in libopenid-ruby (Ubuntu Lucid):
importance: Undecided → Medium
status: New → Confirmed
Changed in libopenid-ruby (Ubuntu Precise):
importance: Undecided → Medium
status: New → Confirmed
Changed in libopenid-ruby (Ubuntu Quantal):
status: New → Invalid
Changed in libopenid-ruby (Ubuntu Raring):
status: New → Invalid
Changed in libopenid-ruby (Ubuntu Saucy):
status: New → Invalid
Changed in libopenid-ruby (Ubuntu):
status: Invalid → Incomplete
Changed in ruby-openid (Ubuntu):
status: Fix Released → Incomplete
Changed in libopenid-ruby (Ubuntu Lucid):
status: Confirmed → Incomplete
Changed in ruby-openid (Ubuntu Lucid):
status: Invalid → Incomplete
Changed in libopenid-ruby (Ubuntu Precise):
status: Confirmed → Incomplete
Changed in ruby-openid (Ubuntu Precise):
status: Invalid → Incomplete
Changed in libopenid-ruby (Ubuntu Quantal):
status: Invalid → Incomplete
Changed in ruby-openid (Ubuntu Quantal):
status: Confirmed → Incomplete
Changed in libopenid-ruby (Ubuntu Raring):
status: Invalid → Incomplete
Changed in ruby-openid (Ubuntu Raring):
status: Fix Released → Incomplete
Changed in libopenid-ruby (Ubuntu Lucid):
status: Incomplete → Confirmed
Changed in libopenid-ruby (Ubuntu Precise):
status: Incomplete → Confirmed
Changed in libopenid-ruby (Ubuntu Quantal):
status: Incomplete → Invalid
Changed in libopenid-ruby (Ubuntu Raring):
status: Incomplete → Invalid
Changed in libopenid-ruby (Ubuntu Saucy):
status: Incomplete → Invalid
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in ruby-openid (Ubuntu Lucid):
status: Incomplete → Invalid
Changed in ruby-openid (Ubuntu Precise):
status: Incomplete → Invalid
Changed in ruby-openid (Ubuntu Quantal):
status: Incomplete → Confirmed
Changed in ruby-openid (Ubuntu Raring):
status: Incomplete → Fix Released
Changed in ruby-openid (Ubuntu Saucy):
status: Incomplete → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

What's the relationship between this bug and bug https://bugs.launchpad.net/bugs/1190179 ?

Revision history for this message
Christian Kuersteiner (ckuerste) wrote :

It's the same vulnerability. As far as I see the package got renamed/moved from libopenid-ruby to ruby-openid on quantal. Since they are different packages I opened two bugs.

Revision history for this message
Christian Kuersteiner (ckuerste) wrote :

Lucid debdiff.

Tests done:
- Builds with pbuilder
- can install and upgrade cleanly
- Tested with examples/rails_openid: creation of new identity and verifying via second instance worked without a problem.

Revision history for this message
Christian Kuersteiner (ckuerste) wrote :

Precise debdiff.

Tests done:
- Builds with pbuilder
- can install and upgrade cleanly
- Tested with examples/rails_openid: creation of new identity worked without a problem. I could not start the second server with 'script/server --port=3001'. The application didn't understand the port part. The behaviour was the same for the patched and unpatched version.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libopenid-ruby - 2.1.8debian-1ubuntu0.1

---------------
libopenid-ruby (2.1.8debian-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: XML denial of service attack (LP: #1190491)
    - debian/patches/02_CVE_2013_1812.patch: lib/openid/fetchers.rb,
      lib/openid/yadis/xrds.rb: limit fetching file size & disable XML entity
      expansion. Based on upstream patch.
    - CVE-2013-1812
 -- Christian Kuersteiner <email address hidden> Mon, 24 Jun 2013 10:04:38 +0700

Changed in libopenid-ruby (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libopenid-ruby - 2.1.7debian-1ubuntu0.1

---------------
libopenid-ruby (2.1.7debian-1ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: XML denial of service attack (LP: #1190491)
    - debian/patches/CVE-2013-1812.patch: lib/openid/fetchers.rb,
      lib/openid/yadis/xrds.rb: limit fetching file size & disable XML entity
      expansion. Based on upstream patch.
    - CVE-2013-1812
 -- Christian Kuersteiner <email address hidden> Thu, 20 Jun 2013 15:51:01 +0700

Changed in libopenid-ruby (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Christian!

Revision history for this message
Christian Kuersteiner (ckuerste) wrote :

Quantal ruby-openid is already fixed through https://bugs.launchpad.net/ubuntu/+source/ruby-openid/+bug/1190179.

Jamie Strandboge (jdstrand)
Changed in ruby-openid (Ubuntu Quantal):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.