The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion." This issue is severe as especially but not exclusively most Rails deployments are vulnerable to this DoS. Both upstream security and Rails staff are advising users to apply a patch immediately. There are two patches available: - A monkey patch to be applied in every application by the user [1] - A draft 'normal' patch to be applied once against the Ruby standard library [2] I suggest to apply the latter one in the ruby ebuilds. [1]: http://weblog.rubyonrails.com/2008/8/23/dos-vulnerabilities-in-rexml [2]: http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/18414
ruby team, please bump as necessary.
ruby-1.8.6_p287-r1 has this patch applied and is currently in CVS. I'll evaluate stabilizing this weekend, along with the other open ruby security bugs.
We'll handle stabling on bug 225465 as soon as appropriate.
Hans, do I understand correctly we need to bump rails to 2.0.4 / 2.1.1 so it can actually use the entity limit? http://weblog.rubyonrails.org/2008/9/5/rails-2-1-1-lots-of-bug-fixes
My understanding is that these versions of Rails contain a monkey patch for fix the REXML problem. We already have this fixed in ruby 1.8.6_p287-r1, so the monkey patch in these rails versions won't have any effect.
Updating whiteboard, fixed packages have been in the tree for some time already (see 225465). Security should vote on sending a GLSA or simply combining this issue with above mentioned other bug.
Combining with the above mentioned bug since we already have a request for that in the pool.
GLSA 200812-17, thanks everyone, sorry about the delay.
This issue was resolved and addressed in GLSA 201110-02 at http://security.gentoo.org/glsa/glsa-201110-02.xml by GLSA coordinator Alex Legler (a3li).
