Debian Bug report logs - #502535
libruby1.8: REXML DoS fix causes error when parsing XML

version graph

Package: libruby1.8; Maintainer for libruby1.8 is akira yamada <akira@debian.org>; Source for libruby1.8 is src:ruby1.8.

Reported by: Naohisa Goto <ngoto@gen-info.osaka-u.ac.jp>

Date: Fri, 17 Oct 2008 13:21:06 UTC

Severity: normal

Found in version ruby1.8/1.8.5-4etch3

Done: akira yamada <akira@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#502535; Package libruby1.8. (Fri, 17 Oct 2008 13:21:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Naohisa Goto <ngoto@gen-info.osaka-u.ac.jp>:
New Bug report received and forwarded. Copy sent to akira yamada <akira@debian.org>. (Fri, 17 Oct 2008 13:21:11 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Naohisa Goto <ngoto@gen-info.osaka-u.ac.jp>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libruby1.8: REXML DoS fix causes error when parsing XML
Date: Fri, 17 Oct 2008 22:16:36 +0900
Package: libruby1.8
Version: 1.8.5-4etch3
Severity: normal

After libruby1.8 1.8.5-4etch3, parsing of some XML documents failed.
For example,

% ruby -r rexml/document -r open-uri -e 'REXML::Document.new(URI.parse("http://github.com/bioruby/bioruby/tree/master%2Ftest%2Fdata%2Fblast%2Fb0002.faa.m7?raw=true").read).root.each_element_with_text { |e| p e.name }'
"BlastOutput_program"
"BlastOutput_version"
/usr/lib/ruby/1.8/rexml/entity.rb:76:in `unnormalized': undefined method `record_entity_expansion' for nil:NilClass (NoMethodError)
        from /usr/lib/ruby/1.8/rexml/doctype.rb:143:in `entity'
        from /usr/lib/ruby/1.8/rexml/text.rb:323:in `unnormalize'
        from /usr/lib/ruby/1.8/rexml/text.rb:321:in `each'
        from /usr/lib/ruby/1.8/rexml/text.rb:321:in `unnormalize'
        from /usr/lib/ruby/1.8/rexml/text.rb:173:in `value'
        from /usr/lib/ruby/1.8/rexml/element.rb:457:in `text'
        from /usr/lib/ruby/1.8/rexml/element.rb:438:in `has_text?'
        from /usr/lib/ruby/1.8/rexml/element.rb:389:in `each_element_with_text'
        from /usr/lib/ruby/1.8/rexml/element.rb:734:in `call'
        from /usr/lib/ruby/1.8/rexml/element.rb:734:in `each_with_something'
        from /usr/lib/ruby/1.8/rexml/element.rb:939:in `each'
        from /usr/lib/ruby/1.8/rexml/xpath.rb:53:in `each'
        from /usr/lib/ruby/1.8/rexml/element.rb:939:in `each'
        from /usr/lib/ruby/1.8/rexml/element.rb:733:in `each_with_something'
        from /usr/lib/ruby/1.8/rexml/element.rb:393:in `each_element_with_text'
        from -e:1

With 1.8.5-4etch2, no error occurred.

% ruby -r rexml/document -r open-uri -e 'REXML::Document.new(URI.parse("http://github.com/bioruby/bioruby/tree/master%2Ftest%2Fdata%2Fblast%2Fb0002.faa.m7?raw=true").read).root.each_element_with_text { |e| p e.name }'
"BlastOutput_program"
"BlastOutput_version"
"BlastOutput_reference"
"BlastOutput_db"
"BlastOutput_query-ID"
"BlastOutput_query-def"
"BlastOutput_query-len"
"BlastOutput_param"
"BlastOutput_iterations"

The same problem is reported in a blog.
http://mashing-it-up.blogspot.com/2008/09/dos-vulnerability-in-rexml-patch-fix.html

Following patch can fix this bug.

--- /usr/lib/ruby/1.8/rexml/entity.rb.ORIG	2008-10-11 04:35:02.000000000 +0900
+++ /usr/lib/ruby/1.8/rexml/entity.rb	2008-10-17 21:18:59.731379482 +0900
@@ -73,7 +73,7 @@
 		# all entities -- both %ent; and &ent; entities.  This differs from
 		# +value()+ in that +value+ only replaces %ent; entities.
 		def unnormalized
-			document.record_entity_expansion
+			document.record_entity_expansion unless document.nil?
 			v = value()
 			return nil if v.nil?
 			@unnormalized = Text::unnormalize(v, parent)


The same patch for ruby1.8 source package is:

--- debian/patches/168_rexml_dos.patch.ORIG	2008-10-17 20:56:29.000000000 +0900
+++ debian/patches/168_rexml_dos.patch	2008-10-17 21:16:53.330108500 +0900
@@ -44,7 +44,7 @@
  		# all entities -- both %ent; and &ent; entities.  This differs from
  		# +value()+ in that +value+ only replaces %ent; entities.
  		def unnormalized
-+			document.record_entity_expansion
++			document.record_entity_expansion unless document.nil?
  			v = value()
  			return nil if v.nil?
  			@unnormalized = Text::unnormalize(v, parent)


Thank you.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.25
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libruby1.8 depends on:
ii  libc6                  2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii  libncurses5            5.5-5             Shared libraries for terminal hand
ii  zlib1g                 1:1.2.3-13        compression library - runtime

libruby1.8 recommends no packages.

-- debconf-show failed




Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#502535; Package libruby1.8. (Sun, 08 Feb 2009 13:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Sun, 08 Feb 2009 13:18:02 GMT) Full text and rfc822 format available.

Message #10 received at 502535@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@lucas-nussbaum.net>
To: 502535@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#502535: libruby1.8: REXML DoS fix causes error when parsing XML
Date: Sun, 8 Feb 2009 14:15:45 +0100
clone 502535 -1
reassign -1 ruby1.9 1.9.0.2-8
fixed -1 1.9.0.2-9  
thanks

Hi,

#502535 also affects ruby1.9. It was fixed in 1.9.0.2-9, but that
version didn't migrate to testing yet.

I'm cloning+reassigning so the bug stays on the radar.
-- 
| Lucas Nussbaum
| lucas@lucas-nussbaum.net   http://www.lucas-nussbaum.net/ |
| jabber: lucas@nussbaum.fr             GPG: 1024D/023B3F4F |




Bug 502535 cloned as bug 514529. Request was from Lucas Nussbaum <lucas@lucas-nussbaum.net> to control@bugs.debian.org. (Sun, 08 Feb 2009 13:18:03 GMT) Full text and rfc822 format available.

Reply sent to akira yamada <akira@debian.org>:
You have taken responsibility. (Fri, 10 Jul 2009 06:30:04 GMT) Full text and rfc822 format available.

Notification sent to Naohisa Goto <ngoto@gen-info.osaka-u.ac.jp>:
Bug acknowledged by developer. (Fri, 10 Jul 2009 06:30:04 GMT) Full text and rfc822 format available.

Message #17 received at 502535-done@bugs.debian.org (full text, mbox):

From: akira yamada <akira@debian.org>
To: 502535-done@bugs.debian.org
Subject: (件名なし)
Date: Fri, 10 Jul 2009 15:25:28 +0900
This bug fixed 1.8.5-4etch4 (etch) and 1.8.7.72-2 (lenny).




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 07 Aug 2009 07:29:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 08:29:54 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.