FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ruby-gems -- Algorithmic Complexity Vulnerability

Affected packages
ruby19-gems < 1.8.27
ruby20-gems < 1.8.27

Details

VuXML ID 742eb9e4-e3cb-4f5a-b94e-0e9a39420600
Discovery 2013-09-24
Entry 2013-11-24

Ruby Gem developers report:

The patch for CVE-2013-4363 was insufficiently verified so the combined regular expression for verifying gem version remains vulnerable following CVE-2013-4363.

RubyGems validates versions with a regular expression that is vulnerable to denial of service due to backtracking. For specially crafted RubyGems versions attackers can cause denial of service through CPU consumption.

References

CVE Name CVE-2013-4363