From 7aa361802fb8b86d0a2cfbcde128d10af1ed5056 Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Wed, 8 Oct 2008 13:30:47 +0000 Subject: [PATCH] - CVE-2008-3790: DoS vulnerability in the REXML module. --- ruby-1.8.6-rexml-CVE-2008-3790.patch | 96 ++++++++++++++++++++++++++++ ruby.spec | 7 +- 2 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 ruby-1.8.6-rexml-CVE-2008-3790.patch diff --git a/ruby-1.8.6-rexml-CVE-2008-3790.patch b/ruby-1.8.6-rexml-CVE-2008-3790.patch new file mode 100644 index 0000000..2ce6e1f --- /dev/null +++ b/ruby-1.8.6-rexml-CVE-2008-3790.patch @@ -0,0 +1,96 @@ +diff -pruN ruby-1.8.6-p287.orig/lib/rexml/document.rb ruby-1.8.6-p287/lib/rexml/document.rb +--- ruby-1.8.6-p287.orig/lib/rexml/document.rb 2007-11-04 13:50:15.000000000 +0900 ++++ ruby-1.8.6-p287/lib/rexml/document.rb 2008-10-08 22:25:14.000000000 +0900 +@@ -32,6 +32,7 @@ module REXML + # @param context if supplied, contains the context of the document; + # this should be a Hash. + def initialize( source = nil, context = {} ) ++ @entity_expansion_count = 0 + super() + @context = context + return if source.nil? +@@ -200,6 +201,27 @@ module REXML + Parsers::StreamParser.new( source, listener ).parse + end + ++ @@entity_expansion_limit = 10_000 ++ ++ # Set the entity expansion limit. By defualt the limit is set to 10000. ++ def Document::entity_expansion_limit=( val ) ++ @@entity_expansion_limit = val ++ end ++ ++ # Get the entity expansion limit. By defualt the limit is set to 10000. ++ def Document::entity_expansion_limit ++ return @@entity_expansion_limit ++ end ++ ++ attr_reader :entity_expansion_count ++ ++ def record_entity_expansion ++ @entity_expansion_count += 1 ++ if @entity_expansion_count > @@entity_expansion_limit ++ raise "number of entity expansions exceeded, processing aborted." ++ end ++ end ++ + private + def build( source ) + Parsers::TreeParser.new( source, self ).parse +diff -pruN ruby-1.8.6-p287.orig/lib/rexml/entity.rb ruby-1.8.6-p287/lib/rexml/entity.rb +--- ruby-1.8.6-p287.orig/lib/rexml/entity.rb 2007-07-28 11:46:08.000000000 +0900 ++++ ruby-1.8.6-p287/lib/rexml/entity.rb 2008-10-08 22:25:14.000000000 +0900 +@@ -73,6 +73,7 @@ module REXML + # all entities -- both %ent; and &ent; entities. This differs from + # +value()+ in that +value+ only replaces %ent; entities. + def unnormalized ++ document.record_entity_expansion + v = value() + return nil if v.nil? + @unnormalized = Text::unnormalize(v, parent) +diff -pruN ruby-1.8.6-p287.orig/test/rexml/test_document.rb ruby-1.8.6-p287/test/rexml/test_document.rb +--- ruby-1.8.6-p287.orig/test/rexml/test_document.rb 1970-01-01 09:00:00.000000000 +0900 ++++ ruby-1.8.6-p287/test/rexml/test_document.rb 2008-10-08 22:25:14.000000000 +0900 +@@ -0,0 +1,42 @@ ++require "rexml/document" ++require "test/unit" ++ ++class REXML::TestDocument < Test::Unit::TestCase ++ def test_new ++ doc = REXML::Document.new(< ++Hello world! ++EOF ++ assert_equal("Hello world!", doc.root.children.first.value) ++ end ++ ++ XML_WITH_NESTED_ENTITY = < ++ ++ ++ ++ ++ ++ ++ ++]> ++ ++&a; ++ ++EOF ++ ++ def test_entity_expansion_limit ++ doc = REXML::Document.new(XML_WITH_NESTED_ENTITY) ++ assert_raise(RuntimeError) do ++ doc.root.children.first.value ++ end ++ REXML::Document.entity_expansion_limit = 100 ++ assert_equal(100, REXML::Document.entity_expansion_limit) ++ doc = REXML::Document.new(XML_WITH_NESTED_ENTITY) ++ assert_raise(RuntimeError) do ++ doc.root.children.first.value ++ end ++ assert_equal(101, doc.entity_expansion_count) ++ end ++end diff --git a/ruby.spec b/ruby.spec index 4de644d..2206c3b 100644 --- a/ruby.spec +++ b/ruby.spec @@ -12,7 +12,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 1%{?dist} +Release: 2%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -34,6 +34,7 @@ Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch Patch25: ruby-1.8.6.111-gcc43.patch +Patch26: ruby-1.8.6-rexml-CVE-2008-3790.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -152,6 +153,7 @@ pushd %{name}-%{arcver} %patch23 -p1 %endif %patch25 -p1 +%patch26 -p1 popd %build @@ -502,6 +504,9 @@ rm -rf tmp-ruby-docs %{_datadir}/emacs/site-lisp/site-start.d/ruby-mode-init.el %changelog +* Wed Oct 8 2008 Akira TAGOH - 1.8.6.287-2 +- CVE-2008-3790: DoS vulnerability in the REXML module. + * Sat Aug 23 2008 Akira TAGOH - 1.8.6.287-1 - New upstream release. - Security fixes.