Debian Bug report logs - #702526
ruby1.8: CVE-2013-1821: entity expansion DoS vulnerability in REXML

version graph

Package: src:ruby1.8; Maintainer for src:ruby1.8 is akira yamada <akira@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 7 Mar 2013 19:27:02 UTC

Severity: grave

Tags: patch, security, upstream

Fixed in version ruby1.8/1.8.7.358-7

Done: Lucas Nussbaum <lucas@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, akira yamada <akira@debian.org>:
Bug#702526; Package src:ruby1.8. (Thu, 07 Mar 2013 19:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, akira yamada <akira@debian.org>. (Thu, 07 Mar 2013 19:27:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby1.8: CVE-2013-1821: entity expansion DoS vulnerability in REXML
Date: Thu, 07 Mar 2013 20:26:13 +0100
Source: ruby1.8
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for ruby.

CVE-2013-1821[0]:
entity expansion DoS vulnerability in REXML

More details are explained in the upstream announcement[1]. Patches (for
ruby1.9.1) are commited to svn with revision r39384[2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821
    http://security-tracker.debian.org/tracker/CVE-2013-1821
[1] http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/
[2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=39384

Could you doublecheck that ruby1.8 is also affected by this issue and adjust
versions in the BTS as needed?

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#702526; Package src:ruby1.8. (Sat, 09 Mar 2013 13:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Sat, 09 Mar 2013 13:03:03 GMT) Full text and rfc822 format available.

Message #10 received at 702526@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 702526@bugs.debian.org
Subject: Re: Bug#702526: ruby1.8: CVE-2013-1821: entity expansion DoS vulnerability in REXML
Date: Sat, 9 Mar 2013 14:01:24 +0100
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch

Hi

Attached is a proposed debdiff, based also on the changes done for
ruby1.9.1. But there is one thing which might be sorted out first:

The binary debdiff shows:

----cut---------cut---------cut---------cut---------cut---------cut-----
ri1.8:

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-------------------------------------
-rw-r--r--  root/root   /usr/share/ri/1.8/system/IRB/Context/_set_last_value-i.yaml
-rw-r--r--  root/root   /usr/share/ri/1.8/system/IRB/WorkSpace/__evaluate__-i.yaml
-rw-r--r--  root/root   /usr/share/ri/1.8/system/REXML/Document/entity_expansion_text_limit%3d-c.yaml
-rw-r--r--  root/root   /usr/share/ri/1.8/system/REXML/Document/entity_expansion_text_limit-c.yaml
-rw-r--r--  root/root   /usr/share/ri/1.8/system/REXML/Text/expand-c.yaml

Files in first .deb but not in second
-------------------------------------
-rw-r--r--  root/root   /usr/share/ri/1.8/system/RSS/Rss/Channel/Item/_setup_maker_element-i.yaml
----cut---------cut---------cut---------cut---------cut---------cut-----

Regards,
Salvatore
[ruby1.8_1.8.7.358-6.1.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#702526; Package src:ruby1.8. (Tue, 12 Mar 2013 08:12:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Tue, 12 Mar 2013 08:12:06 GMT) Full text and rfc822 format available.

Message #15 received at 702526@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 702526@bugs.debian.org
Subject: Re: Bug#702526: ruby1.8: CVE-2013-1821: entity expansion DoS vulnerability in REXML
Date: Tue, 12 Mar 2013 09:07:26 +0100
On 09/03/13 at 14:01 +0100, Salvatore Bonaccorso wrote:
> Control: tags -1 + patch
> 
> Hi
> 
> Attached is a proposed debdiff, based also on the changes done for
> ruby1.9.1. But there is one thing which might be sorted out first:
> 
> The binary debdiff shows:
> 
> ----cut---------cut---------cut---------cut---------cut---------cut-----
> ri1.8:
> 
> [The following lists of changes regard files as different if they have
> different names, permissions or owners.]
> 
> Files in second .deb but not in first
> -------------------------------------
> -rw-r--r--  root/root   /usr/share/ri/1.8/system/IRB/Context/_set_last_value-i.yaml
> -rw-r--r--  root/root   /usr/share/ri/1.8/system/IRB/WorkSpace/__evaluate__-i.yaml
> -rw-r--r--  root/root   /usr/share/ri/1.8/system/REXML/Document/entity_expansion_text_limit%3d-c.yaml
> -rw-r--r--  root/root   /usr/share/ri/1.8/system/REXML/Document/entity_expansion_text_limit-c.yaml
> -rw-r--r--  root/root   /usr/share/ri/1.8/system/REXML/Text/expand-c.yaml
> 
> Files in first .deb but not in second
> -------------------------------------
> -rw-r--r--  root/root   /usr/share/ri/1.8/system/RSS/Rss/Channel/Item/_setup_maker_element-i.yaml
> ----cut---------cut---------cut---------cut---------cut---------cut-----

Strange, I don't reproduce this:
Files in second .changes but not in first
-----------------------------------------
-rw-r--r--  root/root /usr/share/ri/1.8/system/REXML/Document/entity_expansion_text_limit%3d-c.yaml
-rw-r--r--  root/root /usr/share/ri/1.8/system/REXML/Document/entity_expansion_text_limit-c.yaml
-rw-r--r--  root/root /usr/share/ri/1.8/system/REXML/Text/expand-c.yaml

(but not the others)

I'm not sure what when wrong for you. In any case, those files are
rather harmless: they are used by ri, Ruby's documentation system, so
the impact would be missing documentation for obscure methods.

I tested the patch manually using the test case that is also added to
the test suite. I also diffed the build logs. Everything is fine. I'm
uploading this.

I'm uploading the fixed package. Thanks a lot, Salvatore!

Lucas



Reply sent to Lucas Nussbaum <lucas@debian.org>:
You have taken responsibility. (Tue, 12 Mar 2013 08:51:05 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 12 Mar 2013 08:51:05 GMT) Full text and rfc822 format available.

Message #20 received at 702526-close@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@debian.org>
To: 702526-close@bugs.debian.org
Subject: Bug#702526: fixed in ruby1.8 1.8.7.358-7
Date: Tue, 12 Mar 2013 08:47:53 +0000
Source: ruby1.8
Source-Version: 1.8.7.358-7

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702526@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lucas Nussbaum <lucas@debian.org> (supplier of updated ruby1.8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 12 Mar 2013 08:34:11 +0100
Source: ruby1.8
Binary: ruby1.8 libruby1.8 libruby1.8-dbg ruby1.8-dev libtcltk-ruby1.8 ruby1.8-examples ri1.8 ruby1.8-full
Architecture: source all amd64
Version: 1.8.7.358-7
Distribution: unstable
Urgency: high
Maintainer: akira yamada <akira@debian.org>
Changed-By: Lucas Nussbaum <lucas@debian.org>
Description: 
 libruby1.8 - Libraries necessary to run Ruby 1.8
 libruby1.8-dbg - Debugging symbols for Ruby 1.8
 libtcltk-ruby1.8 - Tcl/Tk interface for Ruby 1.8
 ri1.8      - Ruby Interactive reference (for Ruby 1.8)
 ruby1.8    - Interpreter of object-oriented scripting language Ruby 1.8
 ruby1.8-dev - Header files for compiling extension modules for the Ruby 1.8
 ruby1.8-examples - Examples for Ruby 1.8
 ruby1.8-full - Ruby 1.8 full installation
Closes: 702526
Changes: 
 ruby1.8 (1.8.7.358-7) unstable; urgency=high
 .
   [ Salvatore Bonaccorso ]
   * Add CVE-2013-1821.patch patch.
     CVE-2013-1821: Fix entity expansion DoS vulnerability in REXML. When
     reading text nodes from an XML document, the REXML parser could be
     coerced into allocating extremely large string objects which could
     consume all available memory on the system. (Closes: #702526)
 .
   [ Lucas Nussbaum ]
   * Reviewed and tested Salvatore's patch.
Checksums-Sha1: 
 f97757d388e2d8bbb486ee1c6da4c86f7a74cdda 2520 ruby1.8_1.8.7.358-7.dsc
 cc0a157eb61591a49ea30e835a05137bbe6bb326 58230 ruby1.8_1.8.7.358-7.debian.tar.gz
 5a094f9b25fedc242bf111456addde83da0a3c08 344388 ruby1.8-examples_1.8.7.358-7_all.deb
 a52cd764fa295fe19deb0a57dac4191eb77f72fe 1428096 ri1.8_1.8.7.358-7_all.deb
 3784d0b483a465317bf629551b2828f0d1149153 283794 ruby1.8-full_1.8.7.358-7_all.deb
 2a812ee9edf9ab56eff6192ee1a95499fd759ec7 320008 ruby1.8_1.8.7.358-7_amd64.deb
 eaf48790bcb21136ae8fb554fe8369cf31c10db5 2088084 libruby1.8_1.8.7.358-7_amd64.deb
 7d6acbf7d43d2362f14dcb689470cecd93eccff6 1810522 libruby1.8-dbg_1.8.7.358-7_amd64.deb
 4220a4e2434a1d695c2392eac1e77791f51c617e 909780 ruby1.8-dev_1.8.7.358-7_amd64.deb
 5db2d8c6358e0fc11894c182389849d91025fc16 3127612 libtcltk-ruby1.8_1.8.7.358-7_amd64.deb
Checksums-Sha256: 
 1ed78e381cb91dabb1cc6587bd38526eba87863b235f77d40e9c4930c88cc9fd 2520 ruby1.8_1.8.7.358-7.dsc
 9857ce6fe513904ce4243482a061867dc0e920c8384f568477e6e7fa704f149e 58230 ruby1.8_1.8.7.358-7.debian.tar.gz
 de1cab6fb8c2ad94185e0f7ace768aaac5352901bffde90a09a38e486e37a9b3 344388 ruby1.8-examples_1.8.7.358-7_all.deb
 81e87327ac29ea1726e544235ce8a03a8eb665e8333b4f6428073a69d554a9ad 1428096 ri1.8_1.8.7.358-7_all.deb
 3f55c73a045e37c2ae3e6fd9b1120f12cf384f1ac62f51f13c419071f519512c 283794 ruby1.8-full_1.8.7.358-7_all.deb
 b2824544d6c0e934791f8e884d4d625f6622f6b2de500f796e57d5cc9286f09b 320008 ruby1.8_1.8.7.358-7_amd64.deb
 556e5134a3ecd376d1282e9b4a200a1a152e8c31c3120fe8edd2970ec8a851de 2088084 libruby1.8_1.8.7.358-7_amd64.deb
 ce40534d83fc74a55e546687046bcacb1fd692e0da3fa0f71cb3e04a1fe45794 1810522 libruby1.8-dbg_1.8.7.358-7_amd64.deb
 356e4a72e456b72cb2f4713bb97846eacebf070eccb2d7beffaf0597c1f7f300 909780 ruby1.8-dev_1.8.7.358-7_amd64.deb
 43e97ce8f7a7ee1e56a25654272ee5d08fe19e5aa3b2d620c27c6f5bce557cef 3127612 libtcltk-ruby1.8_1.8.7.358-7_amd64.deb
Files: 
 b06c42c5ebc5ea74a61621129b12e4de 2520 ruby optional ruby1.8_1.8.7.358-7.dsc
 d93e16c71a7d1fea03e72e3a4897dbec 58230 ruby optional ruby1.8_1.8.7.358-7.debian.tar.gz
 95a323874f20acb75f3c24f6035bdad5 344388 ruby optional ruby1.8-examples_1.8.7.358-7_all.deb
 c1b612ada7cb5dbe3b43b3011d4d711e 1428096 ruby optional ri1.8_1.8.7.358-7_all.deb
 127498207b95840b1c0111b2cedc55a5 283794 ruby optional ruby1.8-full_1.8.7.358-7_all.deb
 252473502501b28d8980ceff0aec1a22 320008 ruby optional ruby1.8_1.8.7.358-7_amd64.deb
 cb08a0b40daa7e0f719be06d221ce3e1 2088084 libs optional libruby1.8_1.8.7.358-7_amd64.deb
 cbb01a9059920f5ea0541d41a63c2714 1810522 debug extra libruby1.8-dbg_1.8.7.358-7_amd64.deb
 85e2e0b910b9ba88c684edad7e6dd6ec 909780 ruby optional ruby1.8-dev_1.8.7.358-7_amd64.deb
 f374aff949df1b4475eb172bd4df5086 3127612 ruby optional libtcltk-ruby1.8_1.8.7.358-7_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBUT7h2jkUtTL0376ZAQpXeg/8CFRf2IvzQTRNds4r+kbKJUj/08B0VL2k
p7eJNRXJN7myORYoFNPr0T0dl3eC+lTic7O5UJw0L0TIv83x7jodg1oB4JXKlLha
su+xsKEiW+VBK7w3j08eUpBdslTUlRul3jA47bw15NQdwok2pLRVBqWPF5G/VkWx
lly6lP+IjnawQmWjBRuRC/l0u7qLq5vWOQkN1dJDHljX6YYJNswabAjCvfnHmnGk
8WH2vgxdS7M9Yg2033zLPUZeTvcNDDRaFb/QsckIBqYbNL84mfVqd990Xv6cLgRu
0XrjH05WS9bFo/toGPpNrCVGmNII2rJ5+cHh0pCDywYuZfwglwzSkMZoHuwYsoX6
N1dYd2a8uhGvLcrbl6wQQpUPYMcCRpef55OFLJ+RUVoDLCVvQiIvhUyzEF9MQLT4
91118r9DMcZUvFMYJ9Z0+8BO4VHCPneawYOPKJPWNLkvp7bXv9ZCW86iUuiF/9IV
ZW5bh61OHCN2SYPrvw6huP2PHkn9dxFtZWQXIHlni/dEH9+5IXQiXqiYaLK1PEuf
ZZbvwoDWy6hn7lVPEYvLTQIEADgJjbi+Anw8iLHbzNW2NIfgFisuyLm2oLwkdKCp
05rUjdS0LPMtMa3izouiLWEdRFqTpUsfrb11jq/d3E2AtU7AjtgeIbJEMl9KvA7e
j4fcRt8iqts=
=seu+
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 10 Apr 2013 07:26:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:18:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.