Add CVE-2018-16470 for rack (#368)

feelepxyz · reedloden · commit cd40e66c0a62 · 2018-11-06T08:35:10.000-08:00
Add CVE-2018-16470 for rack
diff --git a/gems/rack/CVE-2018-16470.yml b/gems/rack/CVE-2018-16470.yml
@@ -0,0 +1,56 @@
+---
+gem: rack
+cve: 2018-16470
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
+title: Possible DoS vulnerability in Rack
+date: 2018-11-05
+
+description: |
+  There is a possible DoS vulnerability in the multipart parser in Rack. This
+  vulnerability has been assigned the CVE identifier CVE-2018-16470.
+
+  Versions Affected:  2.0.4, 2.0.5
+  Not affected:       <= 2.0.3
+  Fixed Versions:     2.0.6
+
+  Impact
+  ------
+  There is a possible DoS vulnerability in the multipart parser in Rack.
+  Carefully crafted requests can cause the multipart parser to enter a
+  pathological state, causing the parser to use CPU resources disproportionate to
+  the request size.
+
+  Impacted code can look something like this:
+
+  ```
+  Rack::Request.new(env).params
+  ```
+
+  But any code that uses the multi-part parser may be vulnerable.
+
+  Rack users that have manually adjusted the buffer size in the multipart parser
+  may be vulnerable as well.
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  Releases
+  --------
+  The 2.0.6 release is available at the normal locations.
+
+  Workarounds
+  -----------
+  To work around this issue, the following code can be used:
+
+  ```
+  require "rack/multipart/parser"
+
+  Rack::Multipart::Parser.send :remove_const, :BUFSIZE
+  Rack::Multipart::Parser.const_set :BUFSIZE, 16384
+  ```
+
+unaffected_versions:
+  - "<= 2.0.3"
+
+patched_versions:
+  - ">= 2.0.6"
