Add advisory for bindata

Question

Add advisory for bindata

kuahyeow opened this issue 4 years ago · 7 comments

Potential DoS (combined with constantized - see https://blog.presidentbeef.com/blog/2020/09/14/another-reason-to-avoid-constantize-in-rails/ for background) which was fixed in dmendel/bindata@d99f050 as part of bindata 2.4.10

No CVE yet

Answer 1 · 2021-06-01T22:29:49.000Z

@kuahyeow are you associated with the bindata project? If so, you can request a CVE via the GitHub Security Advisory process. Otherwise, I can ask GitHub to assign a CVE.

Answer 2 · 2021-06-01T23:41:24.000Z

@reedloden No, I am not associated with the bindata project. (For transparency, I am part of the GitLab team that found and reported this issue to the bindata mantainer - see also https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/#update-bindata-dependency)

Otherwise, I can ask GitHub to assign a CVE.

Yes, that will be good, thanks!

Answer 3 · 2021-06-16T15:41:53.000Z

Hello, I am with the GitHub Security Lab team. We are evaluating this to see if assigning a CVE makes sense CC @reedloden . Can someone articulate the security impact more clearly? The linked blog article discusses the use of constantize creates a memory leak, but in the linked commit there is not any code change involving constantize.

Is the "Potential DoS" simply due to the previous implementation being inneficient?

CC @kuahyeow could we get just a bit more details?

Answer 4 · 2021-06-21T21:20:29.000Z

Hello @rschultheis, thanks for reaching out.

I think since this is public information, I can expand on the details. The issue is that it was extremely slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>

So this, in combination with <user_input>.constantize means we have a (slow) CPU-based DoS. Note this is not an issue with BinData gem by itself - attacker needs to find a place where user input is used with constantize in the application.

Does this make sense ?

Answer 5 · 2021-06-23T23:43:32.000Z

@kuahyeow yes that makes sense thanks. I've gone ahead and submited CVE-2021-32823 for this advisory with a CVSS of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L / low.

We have also published GHSA-hj56-84jw-67h6 for this.

Answer 6 · 2021-06-24T00:01:56.000Z

Also I made this PR to add this advisory to this repo: #483

Answer 7 · 2021-06-24T01:48:08.000Z

This has been added. Thanks, all!