Debian Bug report logs - #702525
ruby1.9.1: CVE-2013-1821: entity expansion DoS vulnerability in REXML

version graph

Package: src:ruby1.9.1; Maintainer for src:ruby1.9.1 is Antonio Terceiro <terceiro@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 7 Mar 2013 19:21:01 UTC

Severity: grave

Tags: patch, security, upstream

Fixed in version ruby1.9.1/1.9.3.194-8.1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, akira yamada <akira@debian.org>:
Bug#702525; Package src:ruby1.9.1. (Thu, 07 Mar 2013 19:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, akira yamada <akira@debian.org>. (Thu, 07 Mar 2013 19:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby1.9.1: CVE-2013-1821: entity expansion DoS vulnerability in REXML
Date: Thu, 07 Mar 2013 20:20:16 +0100
Source: ruby1.9.1
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for ruby1.9.1.

CVE-2013-1821[0]:
entity expansion DoS vulnerability in REXML

More details are explained in the upstream announcement[1]. Patches
are commited to svn with revision r39384[2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821
    http://security-tracker.debian.org/tracker/CVE-2013-1821
[1] http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/
[2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=39384

Please adjust the affected versions in the BTS as needed.

Thanks for your work on the ruby1.9.1 source package!

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#702525; Package src:ruby1.9.1. (Fri, 08 Mar 2013 20:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Fri, 08 Mar 2013 20:57:05 GMT) Full text and rfc822 format available.

Message #10 received at 702525@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 702525@bugs.debian.org
Subject: Re: Bug#702525: ruby1.9.1: CVE-2013-1821: entity expansion DoS vulnerability in REXML
Date: Fri, 8 Mar 2013 21:55:01 +0100
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch

Hi

I propose the attached patch applied from upstream's svn. I can do a
NMU in case needed, but want first to have a second check on the
resulting package.

Regards,
Salvatore
[ruby1.9.1_1.9.3.194-8.1.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#702525; Package src:ruby1.9.1. (Sat, 09 Mar 2013 06:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Sat, 09 Mar 2013 06:39:03 GMT) Full text and rfc822 format available.

Message #15 received at 702525@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 702525@bugs.debian.org
Subject: ruby1.9.1: diff for NMU version 1.9.3.194-8.1
Date: Sat, 9 Mar 2013 07:37:32 +0100
[Message part 1 (text/plain, inline)]
tags 702525 + pending
thanks

Dear maintainer,

I've prepared an NMU for ruby1.9.1 (versioned as 1.9.3.194-8.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
[ruby1.9.1-1.9.3.194-8.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 09 Mar 2013 06:39:04 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Mon, 11 Mar 2013 07:06:03 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 11 Mar 2013 07:06:03 GMT) Full text and rfc822 format available.

Message #22 received at 702525-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 702525-close@bugs.debian.org
Subject: Bug#702525: fixed in ruby1.9.1 1.9.3.194-8.1
Date: Mon, 11 Mar 2013 07:02:58 +0000
Source: ruby1.9.1
Source-Version: 1.9.3.194-8.1

We believe that the bug you reported is fixed in the latest version of
ruby1.9.1, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702525@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ruby1.9.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 08 Mar 2013 21:48:20 +0100
Source: ruby1.9.1
Binary: ruby1.9.1 libruby1.9.1 libruby1.9.1-dbg ruby1.9.1-dev libtcltk-ruby1.9.1 ruby1.9.1-examples ri1.9.1 ruby1.9.1-full ruby1.9.3
Architecture: source all amd64
Version: 1.9.3.194-8.1
Distribution: unstable
Urgency: high
Maintainer: akira yamada <akira@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libruby1.9.1 - Libraries necessary to run Ruby 1.9.1
 libruby1.9.1-dbg - Debugging symbols for Ruby 1.9.1
 libtcltk-ruby1.9.1 - Tcl/Tk interface for Ruby 1.9.1
 ri1.9.1    - Ruby Interactive reference (for Ruby 1.9.1)
 ruby1.9.1  - Interpreter of object-oriented scripting language Ruby
 ruby1.9.1-dev - Header files for compiling extension modules for the Ruby 1.9.1
 ruby1.9.1-examples - Examples for Ruby 1.9
 ruby1.9.1-full - Ruby 1.9.1 full installation
 ruby1.9.3  - Interpreter of object-oriented scripting language Ruby, version 1
Closes: 702525
Changes: 
 ruby1.9.1 (1.9.3.194-8.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add CVE-2013-1821.patch patch.
     CVE-2013-1821: Fix entity expansion DoS vulnerability in REXML. When
     reading text nodes from an XML document, the REXML parser could be
     coerced into allocating extremely large string objects which could
     consume all available memory on the system. (Closes: #702525)
Checksums-Sha1: 
 eb5a76fc21de0a1daebd547ec9e923c81f346e2e 2642 ruby1.9.1_1.9.3.194-8.1.dsc
 59ac6aa879475dcd7febdd727b833c66eb095a32 62615 ruby1.9.1_1.9.3.194-8.1.debian.tar.gz
 aaf0a7e7015488f293fde23f093528d53200b887 233444 ruby1.9.1-examples_1.9.3.194-8.1_all.deb
 0ecb97f59b07c1677a4bbe5671fcb4aa517363f5 2172228 ri1.9.1_1.9.3.194-8.1_all.deb
 ac28d88873e5cd20963405ecbdff5f55339e396e 171396 ruby1.9.1-full_1.9.3.194-8.1_all.deb
 f5eafb271fadd5c6e8eef13788b669f73d48d6c3 171970 ruby1.9.3_1.9.3.194-8.1_all.deb
 90307de79a9bc66885c59227fbbfad3bbab7ad61 208446 ruby1.9.1_1.9.3.194-8.1_amd64.deb
 69e97280c8ae23ed9b82af6eaa91d0fae95682a9 4416136 libruby1.9.1_1.9.3.194-8.1_amd64.deb
 7a4dbdeaa9b90b19d48eebfd00d68bf47e2b1883 4564696 libruby1.9.1-dbg_1.9.3.194-8.1_amd64.deb
 f59a62e3b8c27c29eb1e006903d1c776deccf92f 1382210 ruby1.9.1-dev_1.9.3.194-8.1_amd64.deb
 047eee8a4e842f9da221dde7894faf3e747e0c04 1965726 libtcltk-ruby1.9.1_1.9.3.194-8.1_amd64.deb
Checksums-Sha256: 
 d0e4256c788faf1eed4b18452518e0743892e4b94d42611ac949fa81f3d3171f 2642 ruby1.9.1_1.9.3.194-8.1.dsc
 b8f66be93a751b83d24dc6a8f25e617d0e95eed4bacbcc0db6c274e77406c18f 62615 ruby1.9.1_1.9.3.194-8.1.debian.tar.gz
 835075fe0b8d0ba07ec1ed78a1400ae8d519e2d1cef1fc28cadad67050df38a1 233444 ruby1.9.1-examples_1.9.3.194-8.1_all.deb
 99d661135fb2c125f4318d5cc47878e5452e39393e475d0c178308d93c0d19c8 2172228 ri1.9.1_1.9.3.194-8.1_all.deb
 26e61fe540d456840fa4f84c90730de1242582f4f3ca5f4ed043e70ecd9ef34a 171396 ruby1.9.1-full_1.9.3.194-8.1_all.deb
 a603cc3b1484157bd6ca416f5b94ca0786b8f8c459f3a23f7dea7e3d9af740cf 171970 ruby1.9.3_1.9.3.194-8.1_all.deb
 c15f3debad4d7c8510d248ed5727d88d74f4f8eb34c3d7707e928e55275b0471 208446 ruby1.9.1_1.9.3.194-8.1_amd64.deb
 feab01ed046b03e05bd4d265cad10ffeecdecf7a685654003f38e31a3a42f7d1 4416136 libruby1.9.1_1.9.3.194-8.1_amd64.deb
 d436d2b90ef45dc3eccd59a052b58c1ab72831c9298903b779f8d8849a4d7c24 4564696 libruby1.9.1-dbg_1.9.3.194-8.1_amd64.deb
 270032757fa69288ad84a187ba9dc720e21892ec5c02d768805f36c528bd6f4a 1382210 ruby1.9.1-dev_1.9.3.194-8.1_amd64.deb
 88d37c4522f499afbc6ccf952c14ab3c328abaab93b442aca506e5b99e16b89a 1965726 libtcltk-ruby1.9.1_1.9.3.194-8.1_amd64.deb
Files: 
 85759b76c8473f3ee5e38a529fb54632 2642 ruby optional ruby1.9.1_1.9.3.194-8.1.dsc
 27cdf4b9b27c316a5cc588d1d9a428cd 62615 ruby optional ruby1.9.1_1.9.3.194-8.1.debian.tar.gz
 0745bbb044288fd92a6b339ddda5f401 233444 ruby optional ruby1.9.1-examples_1.9.3.194-8.1_all.deb
 8dd51405ac6847962f6991d193cc495b 2172228 ruby optional ri1.9.1_1.9.3.194-8.1_all.deb
 311c02a99a58794ba3f27946c9422dd5 171396 ruby optional ruby1.9.1-full_1.9.3.194-8.1_all.deb
 f146e5d710fb7870b54fd784481e43e1 171970 ruby optional ruby1.9.3_1.9.3.194-8.1_all.deb
 cd67a2ef71ea2a63bd82a995b18a2da2 208446 ruby optional ruby1.9.1_1.9.3.194-8.1_amd64.deb
 c8f970e63bf46d0c1a4ab7c09ba05468 4416136 libs optional libruby1.9.1_1.9.3.194-8.1_amd64.deb
 23f285720b98da173cd97ec56e8246c3 4564696 debug extra libruby1.9.1-dbg_1.9.3.194-8.1_amd64.deb
 54f19b0e97dd0ebf832a2419a6686ca0 1382210 ruby optional ruby1.9.1-dev_1.9.3.194-8.1_amd64.deb
 dd477a18246a23c364fdbfcd55da4fac 1965726 ruby optional libtcltk-ruby1.9.1_1.9.3.194-8.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJROtguAAoJEHidbwV/2GP+qucQANJUL41CnvK2phzLKSz3/6fl
gK4YMKZAUOIb7MKHpZF1c+UWysI60v3NuyFmI3V69WLnic579QaLSbmLSB3NOsbz
CrJooI7a3yfPbMbYobUlNkETsJthWMWU7P/dQuqEAs5uhZoDgcX5tMy3r7gkRKwD
tsksiyzLuif+KT2fcEWBVgzL2LQzS6R2LdutsTnxbpTTnamVGVDUbzx8XROn+Wio
MVZXXAs4IFFk7cWjMcmF4xlRgN0DWIj8SXyIUDsdYPm8ETdVvR52a58aMl8sD8pN
3vtFPLmRNxOxLi5xDM/lL2J823IeT8Wjuv0TKFP1A5KhGIs2lphJHhDlJ+cq5F88
rVln23AQ9hpYVBNj91TXgBk9rVr7kRmcUfnkXfxuDsLWoMR3B9qPf5z8tuB7zSED
k0TOWG/h38xT6iooL/cdI8CHg2DDD/CeqjbeZy3B4muteLgkMb1iJqfl0zDOJOeg
YrF5QdFvugysqD7RHShsOaN890dy1tA6Io83XewlrWT9ypExZxe70G7RdXY9qWzS
UiatHWiHw3kGa78DyGYfnOGq8Edl3HTHGRRWKA8yEL7Qbqmhi5M2s/cSAyRJNtuL
IaGQUwmNHTaMJDfOnj9t6mixxJ7Bq91585MNrFSzJDTWoFGOBt+GFid5L68tFOVg
LK088Rq0MOlKcKlxv3Xt
=6L5t
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#702525; Package src:ruby1.9.1. (Tue, 12 Mar 2013 11:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antonio Terceiro <terceiro@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Tue, 12 Mar 2013 11:36:03 GMT) Full text and rfc822 format available.

Message #27 received at 702525@bugs.debian.org (full text, mbox):

From: Antonio Terceiro <terceiro@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 702525@bugs.debian.org
Subject: Re: Bug#702525: ruby1.9.1: diff for NMU version 1.9.3.194-8.1
Date: Tue, 12 Mar 2013 08:32:53 -0300
[Message part 1 (text/plain, inline)]
On Sat, Mar 09, 2013 at 07:37:32AM +0100, Salvatore Bonaccorso wrote:
> tags 702525 + pending
> thanks
> 
> Dear maintainer,
> 
> I've prepared an NMU for ruby1.9.1 (versioned as 1.9.3.194-8.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.

Hello Salvatore. Unfortunately I couldn't react on time, but what
matters is that we have a fixed package thanks to you.

I have imported your patch into our git repository, so now it's
official. :-)

Thanks!

-- 
Antonio Terceiro <terceiro@debian.org>
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 07:44:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:07:01 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.