Merge branch 'add_cve_2013_4203' into development

Changelog.md

@@ -18,6 +18,7 @@ _latest update: Sun Mar 23 23:06:38 CET 2014_
 * Added a check for CVE-2013-2512
 * Added a check for CVE-2013-2513
 * Added a check for CVE-2013-2516
+* Added a check for CVE-2013-4203
 * Added a check for CVE-2013-4413
 * Added a check for CVE-2013-4489
 * Added a check for CVE-2013-4593
@@ -52,8 +53,10 @@ _latest update: Sun Mar 23 23:06:38 CET 2014_
   or just old. I enabled only check against ruby
 * Added a --seach-knowledge-base removing the optional parameter to
   --list-knowledge-base that is just for listing.
-* Renamed '--list-knowledgebase' to '--list-knowledge-base' and '-k' short option was removed
-* Added a --list-known-families option printing out Codesake::Dawn supported check family name
+* Renamed '--list-knowledgebase' to '--list-knowledge-base' and '-k' short
+  option was removed
+* Added a --list-known-families option printing out Codesake::Dawn supported
+  check family name
 * Removed '-f' short option for list-known-framework
 * Added family and severity to Owasp RoR Cheatsheet files
 * Add a method to return severity level. If it's provided by check constructor
@@ -72,6 +75,8 @@ _latest update: Sun Mar 23 23:06:38 CET 2014_
   preferences in a .codesake-dawn.yaml file in your home directory (or you can
   use the --config-file option to specify the file you want to use). It returns
   an embedded default configuration if the supplied filename doesn't exist.
+* Nokogiri DoS security checks discovered in December 2013, now have their own
+  CVE: CVE-2013-6460 and CVE-2013-6461
 
 ## Version 1.0.6 - codename: Lightning McQueen (2014-03-23)
 

Rakefile

@@ -36,7 +36,7 @@ task :cve, :name do |t,args|
   SRC_DIR   = "./lib/codesake/dawn/kb/"
   SPEC_DIR  = "./spec/lib/kb/"
 
-  raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.find(nil, name).nil?
+  raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.new.find(nil, name).nil?
   raise "### Invalid CVE title: #{name}" if name.nil? or name.empty? or /CVE-\d{4}-\d{4}/.match(name).nil?
   raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
   raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
@@ -213,14 +213,25 @@ namespace :rubysec do
       advisory = YAML.load_file(path)
       if advisory['cve']
         cve = "CVE-"+advisory['cve']
-        found = Codesake::Dawn::KnowledgeBase.find(nil, cve)
-        puts "#{cve} NOT in dawn v#{Codesake::Dawn::VERSION} knowledge base" unless found
-        list << cve unless found
+        # Exclusion
+        # CVE-2007-6183 is a vulnerability in gnome2 ruby binding. Not a gem, I don't care
+        # CVE-2013-1878 is a duplicate of CVE-2013-2617 that is in knowledge base
+        # CVE-2013-1876 is a duplicate of CVE-2013-2615 that is in knowledge base
+        exclusion = ["CVE-2007-6183", "CVE-2013-1876", "CVE-2013-1878"]
+        if exclusion.include?(cve) 
+          puts "#{cve} is in the exclusion list"
+        else
+          found = Codesake::Dawn::KnowledgeBase.find(nil, cve)
+          puts "#{cve} NOT in dawn v#{Codesake::Dawn::VERSION} knowledge base" unless found
+          list << cve unless found
+        end
       end
     end
-    File.open("missing_rubyadvisory_cvs_#{Time.now.strftime("%Y%m%d")}.txt", "w") do |f|
-      f.puts "Missing CVE bulletins - v#{Codesake::Dawn::VERSION} - #{Time.now.strftime("%d %B %Y")}"
-      f.puts list
+    unless list.empty?
+      File.open("missing_rubyadvisory_cvs_#{Time.now.strftime("%Y%m%d")}.txt", "w") do |f|
+        f.puts "Missing CVE bulletins - v#{Codesake::Dawn::VERSION} - #{Time.now.strftime("%d %B %Y")}"
+        f.puts list
+      end
     end
     system "rm -rf #{target_dir}ruby-advisory-db"
 

lib/codesake/dawn/kb/cve_2013_4203.rb

@@ -0,0 +1,27 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-03-28
+			class CVE_2013_4203
+				include DependencyCheck
+
+				def initialize
+          message = "The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors."
+           super({
+            :name=>"CVE-2013-4203",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 10, 11),
+            :cwe=>"94",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rgpg at least to version 0.2.3. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["http://www.openwall.com/lists/oss-security/2013/08/03/2"]
+           })
+           self.safe_dependencies = [{:name=>"rgpg", :version=>['0.2.3']}]
+				end
+			end
+		end
+	end
+end

lib/codesake/dawn/kb/nokogiri_dos_20131217.rb → lib/codesake/dawn/kb/cve_2013_6460.rb

@@ -2,55 +2,52 @@ module Codesake
 	module Dawn
 		module Kb
 
-      class NokogiriDos20131217_a
+      class CVE_2013_6460_a
         include DependencyCheck
 
         def initialize
           message = "Vulnerability arises when Nokogiri version 1.6.0 and 1.5.x (x<11) is used"
           super({
-            :name=>"NokogiriDos20131217_a",
+            :name=>"CVE_2013_6460_a",
             :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
           })
           self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.1', '1.5.11']}]
         end
 
       end
 
-      class NokogiriDos20131217_b
+      class CVE_2013_6460_b
         include RubyVersionCheck
         def initialize
           message = "Vulnerability arises when Nokogiri version 1.6.0 and 1.5.x (x<11) is used with JRuby"
           super({
-            :name=>"NokogiriDos20131217_b",
+            :name=>"CVE_2013_6460_b",
             :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
           })
           self.safe_rubies = [ {:engine=>"jruby", :version=>"99.99.99", :patchlevel=>"p999"}]
           # self.debug = true
         end
       end
 
-			class NokogiriDos20131217
+			class CVE_2013_6460
         include ComboCheck
 
 				def initialize
           message = "There is a vulnerability in Nokogiri when using JRuby where the parser can enter an infinite loop and exhaust the process memory. Nokogiri users on JRuby using the native Java extension.  Attackers can send XML documents with carefully crafted documents which can cause the XML processor to enter an infinite loop, causing the server to run out of memory and crash."
 
           super({
-            :name=>"Nokogiri - Denial of service - 20131217",
-            :cvss=>"",
+            :name=>"CVE-2013-6460",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:N/A:P",
             :release_date => Date.new(2013, 12, 15),
             :cwe=>"",
             :owasp=>"A9", 
             :applies=>["rails", "sinatra", "padrino"],
             :kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
             :message=>message,
             :mitigation=>"Please upgrade nokogiri gem to a newer version",
-            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA"],
-            :checks=>[NokogiriDos20131217_a.new, NokogiriDos20131217_b.new]
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA", "https://access.redhat.com/security/cve/CVE-2013-6460"],
+            :checks=>[CVE_2013_6460_a.new, CVE_2013_6460_b.new]
           })
-
-
-
 				end
 			end
 		end

lib/codesake/dawn/kb/nokogiri_entityexpansion_dos_20131217.rb → lib/codesake/dawn/kb/cve_2013_6461.rb

@@ -2,41 +2,41 @@ module Codesake
 	module Dawn
 		module Kb
 
-      class Nokogiri_EntityExpansion_Dos_20131217_a
+      class CVE_2013_6461_a
         include DependencyCheck
 
         def initialize
           message = "Vulnerability arises when Nokogiri version 1.6.0 and 1.5.x (x<11) is used"
           super({
-            :name=>"Nokogiri_EntityExpansion_Dos_20131217_a",
+            :name=>"CVE_2013_6461_a",
             :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
           })
           self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.1', '1.5.11']}]
         end
 
       end
 
-      class Nokogiri_EntityExpansion_Dos_20131217_b
+      class CVE_2013_6461_b
         include RubyVersionCheck
         def initialize
           message = "Vulnerability arises when Nokogiri version 1.6.0 and 1.5.x (x<11) is used with JRuby"
           super({
-            :name=>"Nokogiri_EntityExpansion_Dos_20131217_b",
+            :name=>"CVE_2013_6461_b",
             :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
           })
           self.safe_rubies = [ {:engine=>"jruby", :version=>"99.99.99", :patchlevel=>"p999"}]
         end
       end
 
-			class Nokogiri_EntityExpansion_Dos_20131217
+			class CVE_2013_6461
         include ComboCheck
 
 				def initialize
           message = "There is an entity expansion vulnerability in Nokogiri when using JRuby. Nokogiri users on JRuby using the native Java extension.  Attackers can send
 XML documents with carefully crafted entity expansion strings which can cause the server to run out of memory and crash."
           super({
-            :name=>"Nokogiri - Entity expasion denial of service - 20131217",
-            :cvss=>"",
+            :name=>"CVE-2013-6461",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:N/A:P",
             :release_date => Date.new(2013, 12, 15),
             :cwe=>"",
             :owasp=>"A9", 
@@ -45,7 +45,7 @@ def initialize
             :message=>message,
             :mitigation=>"Please upgrade nokogiri gem to a newer version",
             :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA"],
-            :checks=>[Nokogiri_EntityExpansion_Dos_20131217_a.new, Nokogiri_EntityExpansion_Dos_20131217_b.new]
+            :checks=>[CVE_2013_6461_a.new, CVE_2013_6461_b.new]
           })
 
 

lib/codesake/dawn/knowledge_base.rb

@@ -31,13 +31,6 @@
 # https://groups.google.com/forum/#!topic/ruby-security-ann/flHbLMb07tE
 require "codesake/dawn/kb/simpleform_xss_20131129"
 
-# Two different denial of service issues affecting Nokogiri gem when using Jruby interpreter
-# December, 17 2013
-#
-# https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
-require "codesake/dawn/kb/nokogiri_dos_20131217"
-require "codesake/dawn/kb/nokogiri_entityexpansion_dos_20131217"
-
 # CVE - 2004
 require "codesake/dawn/kb/cve_2004_0755"
 require "codesake/dawn/kb/cve_2004_0983"
@@ -189,6 +182,7 @@
 require "codesake/dawn/kb/cve_2013_2617"
 require "codesake/dawn/kb/cve_2013_3221"
 require "codesake/dawn/kb/cve_2013_4164"
+require "codesake/dawn/kb/cve_2013_4203"
 require "codesake/dawn/kb/cve_2013_4389"
 require "codesake/dawn/kb/cve_2013_4413"
 require "codesake/dawn/kb/cve_2013_4457"
@@ -207,6 +201,8 @@
 require "codesake/dawn/kb/cve_2013_6417"
 require "codesake/dawn/kb/cve_2013_6421"
 require "codesake/dawn/kb/cve_2013_6459"
+require "codesake/dawn/kb/cve_2013_6460"
+require "codesake/dawn/kb/cve_2013_6461"
 require "codesake/dawn/kb/cve_2013_7086"
 
 # CVE - 2014
@@ -425,6 +421,7 @@ def load_security_checks
           Codesake::Dawn::Kb::CVE_2013_2617.new, 
           Codesake::Dawn::Kb::CVE_2013_3221.new, 
           Codesake::Dawn::Kb::CVE_2013_4164.new, 
+          Codesake::Dawn::Kb::CVE_2013_4203.new, 
           Codesake::Dawn::Kb::CVE_2013_4389.new, 
           Codesake::Dawn::Kb::CVE_2013_4413.new,
           Codesake::Dawn::Kb::CVE_2013_4457.new,
@@ -443,6 +440,8 @@ def load_security_checks
           Codesake::Dawn::Kb::CVE_2013_6417.new, 
           Codesake::Dawn::Kb::CVE_2013_6421.new, 
           Codesake::Dawn::Kb::CVE_2013_6459.new, 
+          Codesake::Dawn::Kb::CVE_2013_6460.new,
+          Codesake::Dawn::Kb::CVE_2013_6461.new,
           Codesake::Dawn::Kb::CVE_2013_7086.new, 
           Codesake::Dawn::Kb::CVE_2014_0036.new, 
           Codesake::Dawn::Kb::CVE_2014_0080.new, 
@@ -471,8 +470,6 @@ def load_security_checks
         @aux_checks =
         [
           Codesake::Dawn::Kb::SimpleForm_Xss_20131129.new,
-          Codesake::Dawn::Kb::NokogiriDos20131217.new,
-          Codesake::Dawn::Kb::Nokogiri_EntityExpansion_Dos_20131217.new,
         ]
 
         ret = []

spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -427,15 +427,15 @@
     sc.class.should == Codesake::Dawn::Kb::CVE_2013_6417
   end
 
-  it "must have test for NokogiriDos20131217_1" do
-    sc = kb.find("Nokogiri - Denial of service - 20131217")
+  it "must have test for CVE-2013-6460" do
+    sc = kb.find("CVE-2013-6460")
     sc.should_not   be_nil
-    sc.class.should == Codesake::Dawn::Kb::NokogiriDos20131217
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_6460
   end
-  it "must have test for Nokogiri_EntityExpansion_Dos_20131217" do
-    sc = kb.find("Nokogiri - Entity expasion denial of service - 20131217")
+  it "must have test for CVE-2013-6461" do
+    sc = kb.find("CVE-2013-6461")
     sc.should_not   be_nil
-    sc.class.should == Codesake::Dawn::Kb::Nokogiri_EntityExpansion_Dos_20131217
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_6461
   end
   it "must have test for CVE-2013-4478" do
     sc = kb.find("CVE-2013-4478")
@@ -877,4 +877,9 @@
         sc.should_not   be_nil
           sc.class.should == Codesake::Dawn::Kb::CVE_2014_2538
   end
+  it "must have test for CVE-2013-4203" do
+      sc = kb.find("CVE-2013-4203")
+        sc.should_not   be_nil
+          sc.class.should == Codesake::Dawn::Kb::CVE_2013_4203
+  end
 end

spec/lib/kb/cve_2013_4203_spec.rb

@@ -0,0 +1,15 @@
+require 'spec_helper'
+describe "The CVE-2013-4203 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2013_4203.new
+		# @check.debug = true
+	end
+  it "is reported when a vulnerable rgpg version is detected (0.2.2)" do
+    @check.dependencies = [{:name=>"rgpg", :version=>"0.2.2"}]
+    @check.vuln?.should   be_true
+  end
+  it "is not reported when a safe rgpg version is detected (0.2.3)" do
+    @check.dependencies = [{:name=>"rgpg", :version=>"0.2.3"}]
+    @check.vuln?.should   be_false
+  end
+end