Security Release - raven-ruby 0.12.2

[David Cramer]

We've identified an issue in raven-ruby that poses a potential Denial of Service attack in certain scenarios. This issue had potential to exist as far back as the 0.6.0 series, and is addressed in the 0.12.2 security release. The specific vulnerability is exposed when an attempt is made to decode large numeric value stored as an exponent/in scientific notation. Due to the library not needed this functionality we have simply disabled conversion of these kinds of values.

The specific commit addressing these issues can be seen here:

https://github.com/getsentry/raven-ruby/commit/477ee93a3f735be33bc1e726820654cdf6e22d8f

As an aside, if you use the okjson library (outside of the raven-ruby client) this vulnerability may affect you in other ways and we suggest you explore that possibility.

A big thanks to the team at Travis CI for responsibly reporting this vulnerability.

[David Cramer]

As an aside, we also pushed out a 0.6.1 release which includes the fix.

[Taras D]

Do you have a link explaining the vulnerability?

[David Cramer]

The vulnerability has to do with the potential high cost of computing the exponential number.

That is, decoding a value of "10e[some_relaly_large_number]” can burn CPU. Given that The Raven client can accept user input (via people passing it is as context) it made it possible to craft requests which would stall webservers.

--
You received this message because you are subscribed to the Google Groups "sentry" group.
To unsubscribe from this group and stop receiving emails from it, send an email to getsentry+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Taras D]

Thanks for the reply David :)