780498 – (CVE-2021-28965) <dev-ruby/rexml-3.2.4, <dev-lang/ruby-{2.5.9,2.6.7,2.7.3,3.0.1}: XML round-trip vulnerability (CVE-2021-28965)

Bug 780498 (CVE-2021-28965) - <dev-ruby/rexml-3.2.4, <dev-lang/ruby-{2.5.9,2.6.7,2.7.3,3.0.1}: XML round-trip vulnerability (CVE-2021-28965)

Summary: <dev-ruby/rexml-3.2.4, <dev-lang/ruby-{2.5.9,2.6.7,2.7.3,3.0.1}: XML round-tr...

Status:	RESOLVED FIXED

Alias:	CVE-2021-28965

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://www.ruby-lang.org/en/news/202...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2021-04-06 05:14 UTC by Hans de Graaff
Modified:	2023-09-24 07:11 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	dev-lang/ruby-2.6.7-r2
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hans de Graaff gentoo-dev

2021-04-06 05:14:02 UTC

There is an XML round-trip vulnerability in REXML gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2021-28965. We strongly recommend upgrading the REXML gem.
Details

When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.

Please update REXML gem to version 3.2.5 or later.

Affected versions

    Ruby 2.5.8 or prior (You can NOT use gem upgrade rexml for this version.)
    Ruby 2.6.7 or prior
    Ruby 2.7.2 or prior
    Ruby 3.0.1 or prior
    REXML gem 3.2.4 or prior

Comment 1 Larry the Git Cow gentoo-dev

2021-04-06 06:14:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb6c6805ad382db0062aa3b51dbba9992309d8b4

commit bb6c6805ad382db0062aa3b51dbba9992309d8b4
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-04-06 06:14:46 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-04-06 06:14:53 +0000

    dev-lang/ruby: add 2.5.7, 2.6.7, 2.7.3, 3.0.1
    
    Bug: https://bugs.gentoo.org/780498
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-lang/ruby/Manifest          |   4 +
 dev-lang/ruby/ruby-2.5.9.ebuild | 246 +++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-2.6.7.ebuild | 259 +++++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-2.7.3.ebuild | 263 +++++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-3.0.1.ebuild | 264 ++++++++++++++++++++++++++++++++++++++++
 5 files changed, 1036 insertions(+)

Comment 2 Hans de Graaff gentoo-dev

2021-04-06 06:16:28 UTC

dev-ruby/rexml-3.2.5 has also been added.

I'd like to wait a couple days before starting stabling the dev-lang/ruby versions since we introduced some other changes in the previous revisions that still need some investigation.

Comment 3 John Helmert III archtester

2021-04-06 12:54:49 UTC

(In reply to Hans de Graaff from comment #2)
> dev-ruby/rexml-3.2.5 has also been added.
> 
> I'd like to wait a couple days before starting stabling the dev-lang/ruby
> versions since we introduced some other changes in the previous revisions
> that still need some investigation.

Thanks!

Comment 4 Sam James archtester

2021-05-06 05:46:45 UTC

Ping

Comment 5 Sam James archtester

2021-06-16 20:46:11 UTC

(In reply to Sam James from comment #4)
> Ping

ping

Comment 6 NATTkA bot gentoo-dev

2021-06-22 18:20:32 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-lang/ruby-2.5.9

Comment 7 Hans de Graaff gentoo-dev

2021-06-23 05:45:06 UTC

The fixed ruby versions contain unrelated changes that break json in various cases. That needs to be fixed first before we can stable these versions.

Comment 8 Hans de Graaff gentoo-dev

2021-06-26 05:31:35 UTC

(In reply to Hans de Graaff from comment #7)
> The fixed ruby versions contain unrelated changes that break json in various
> cases. That needs to be fixed first before we can stable these versions.

Fixed versions are now in the tree. Let's give them a few days before stabling them.

Comment 9 Agostino Sarubbo gentoo-dev

2021-07-01 08:22:48 UTC

amd64 stable

Comment 10 Agostino Sarubbo gentoo-dev

2021-07-01 08:23:41 UTC

ppc stable

Comment 11 Agostino Sarubbo gentoo-dev

2021-07-01 08:24:26 UTC

sparc stable

Comment 12 Agostino Sarubbo gentoo-dev

2021-07-01 08:25:34 UTC

x86 stable

Comment 13 Rolf Eike Beer archtester

2021-07-01 20:10:15 UTC

hppa stable

Comment 14 Agostino Sarubbo gentoo-dev

2021-07-02 06:28:17 UTC

ppc64 stable

Comment 15 Sam James archtester

2021-07-06 17:59:49 UTC

arm64 done

Comment 16 NATTkA bot gentoo-dev

2021-07-09 08:16:31 UTC Comment hidden (obsolete)

Unable to check for sanity:

> package masked: dev-lang/ruby-2.5.9-r1

Comment 17 NATTkA bot gentoo-dev

2021-07-10 06:56:36 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 18 Sam James archtester

2021-07-17 04:59:34 UTC

arm done

all arches done

Comment 19 Sam James archtester

2021-07-17 05:01:25 UTC

Please cleanup, thanks!

Comment 20 Larry the Git Cow gentoo-dev

2021-07-18 08:46:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=915ad705bf194fb1a9ee62b699689fb83499a022

commit 915ad705bf194fb1a9ee62b699689fb83499a022
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-07-18 08:46:26 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-07-18 08:46:26 +0000

    dev-lang/ruby: cleanup vulnerable versions
    
    Bug: https://bugs.gentoo.org/780498
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-lang/ruby/Manifest             |   3 -
 dev-lang/ruby/ruby-2.6.6-r4.ebuild | 258 ------------------------------------
 dev-lang/ruby/ruby-2.7.2-r2.ebuild | 261 ------------------------------------
 dev-lang/ruby/ruby-2.7.2-r3.ebuild | 263 ------------------------------------
 dev-lang/ruby/ruby-3.0.0-r3.ebuild | 262 ------------------------------------
 dev-lang/ruby/ruby-3.0.0-r4.ebuild | 262 ------------------------------------
 dev-lang/ruby/ruby-3.0.0-r5.ebuild | 264 -------------------------------------
 7 files changed, 1573 deletions(-)

Comment 21 John Helmert III archtester

2021-07-18 15:43:26 UTC

Missed 2.5.8?

Comment 22 Hans de Graaff gentoo-dev

2021-07-20 04:54:14 UTC

(In reply to John Helmert III from comment #21)
> Missed 2.5.8?

Ruby 2.5 is already masked for removal.

Comment 23 NATTkA bot gentoo-dev

2021-07-24 09:28:27 UTC

Unable to check for sanity:

> no match for package: dev-lang/ruby-2.6.7-r2