- CVE-2008-3790: DoS vulnerability in the REXML module.

2008-10-08 13:30:47 +00:00 · 2008-10-08 13:30:47 +00:00 · 7aa361802f
commit 7aa361802f
parent 3f68db5077
2 changed files with 102 additions and 1 deletions
--- a/ruby-1.8.6-rexml-CVE-2008-3790.patch
+++ b/ruby-1.8.6-rexml-CVE-2008-3790.patch
@ -0,0 +1,96 @@
+diff -pruN ruby-1.8.6-p287.orig/lib/rexml/document.rb ruby-1.8.6-p287/lib/rexml/document.rb
+--- ruby-1.8.6-p287.orig/lib/rexml/document.rb	2007-11-04 13:50:15.000000000 +0900
+++ ruby-1.8.6-p287/lib/rexml/document.rb	2008-10-08 22:25:14.000000000 +0900
+@@ -32,6 +32,7 @@ module REXML
+ 	  # @param context if supplied, contains the context of the document;
+ 	  # this should be a Hash.
+ 		def initialize( source = nil, context = {} )
+      @entity_expansion_count = 0
+ 			super()
+ 			@context = context
+ 			return if source.nil?
+@@ -200,6 +201,27 @@ module REXML
+ 			Parsers::StreamParser.new( source, listener ).parse
+ 		end
+ 
+    @@entity_expansion_limit = 10_000
+
+    # Set the entity expansion limit. By defualt the limit is set to 10000.
+    def Document::entity_expansion_limit=( val )
+      @@entity_expansion_limit = val
+    end
+
+    # Get the entity expansion limit. By defualt the limit is set to 10000.
+    def Document::entity_expansion_limit
+      return @@entity_expansion_limit
+    end
+
+    attr_reader :entity_expansion_count
+    
+    def record_entity_expansion
+      @entity_expansion_count += 1
+      if @entity_expansion_count > @@entity_expansion_limit
+        raise "number of entity expansions exceeded, processing aborted."
+      end
+    end
+
+ 		private
+ 		def build( source )
+       Parsers::TreeParser.new( source, self ).parse
+diff -pruN ruby-1.8.6-p287.orig/lib/rexml/entity.rb ruby-1.8.6-p287/lib/rexml/entity.rb
+--- ruby-1.8.6-p287.orig/lib/rexml/entity.rb	2007-07-28 11:46:08.000000000 +0900
+++ ruby-1.8.6-p287/lib/rexml/entity.rb	2008-10-08 22:25:14.000000000 +0900
+@@ -73,6 +73,7 @@ module REXML
+ 		# all entities -- both %ent; and &ent; entities.  This differs from
+ 		# +value()+ in that +value+ only replaces %ent; entities.
+ 		def unnormalized
+      document.record_entity_expansion
+ 			v = value()
+ 			return nil if v.nil?
+ 			@unnormalized = Text::unnormalize(v, parent)
+diff -pruN ruby-1.8.6-p287.orig/test/rexml/test_document.rb ruby-1.8.6-p287/test/rexml/test_document.rb
+--- ruby-1.8.6-p287.orig/test/rexml/test_document.rb	1970-01-01 09:00:00.000000000 +0900
+++ ruby-1.8.6-p287/test/rexml/test_document.rb	2008-10-08 22:25:14.000000000 +0900
+@@ -0,0 +1,42 @@
+require "rexml/document"
+require "test/unit"
+
+class REXML::TestDocument < Test::Unit::TestCase
+  def test_new
+    doc = REXML::Document.new(<<EOF)
+<?xml version="1.0" encoding="UTF-8"?>
+<message>Hello world!</message>
+EOF
+    assert_equal("Hello world!", doc.root.children.first.value)
+  end
+
+  XML_WITH_NESTED_ENTITY = <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE member [
+  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
+  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
+  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
+  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
+  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
+  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
+  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
+]>
+<member>
+&a;
+</member>
+EOF
+
+  def test_entity_expansion_limit
+    doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
+    assert_raise(RuntimeError) do
+      doc.root.children.first.value
+    end
+    REXML::Document.entity_expansion_limit = 100
+    assert_equal(100, REXML::Document.entity_expansion_limit)
+    doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
+    assert_raise(RuntimeError) do
+      doc.root.children.first.value
+    end
+    assert_equal(101, doc.entity_expansion_count)
+  end
+end
--- a/ruby.spec
+++ b/ruby.spec
@ -12,7 +12,7 @@

 Name:		ruby
 Version:	%{rubyver}%{?dotpatchlevel}
-Release:	1%{?dist}
+Release:	2%{?dist}
 License:	Ruby or GPLv2
 URL:		http://www.ruby-lang.org/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -34,6 +34,7 @@ Patch21:	ruby-deprecated-sitelib-search-path.patch
 Patch22:	ruby-deprecated-search-path.patch
 Patch23:	ruby-multilib.patch
 Patch25:	ruby-1.8.6.111-gcc43.patch
+Patch26:	ruby-1.8.6-rexml-CVE-2008-3790.patch

 Summary:	An interpreter of object-oriented scripting language
 Group:		Development/Languages
@ -152,6 +153,7 @@ pushd %{name}-%{arcver}
 %patch23 -p1
 %endif
 %patch25 -p1
+%patch26 -p1
 popd

 %build
@ -502,6 +504,9 @@ rm -rf tmp-ruby-docs
 %{_datadir}/emacs/site-lisp/site-start.d/ruby-mode-init.el

 %changelog
+* Wed Oct  8 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.287-2
+- CVE-2008-3790: DoS vulnerability in the REXML module.
+
 * Sat Aug 23 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.287-1
 - New upstream release.
 - Security fixes.