Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 236060 (CVE-2008-3790)

Summary: dev-lang/ruby <1.8.6_p287-r1 REXML DoS Vulnerability (CVE-2008-3790)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
Whiteboard: B3? [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 225465    
Bug Blocks:    

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2008-08-28 20:11:48 UTC 
The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion."


This issue is severe as especially but not exclusively most Rails deployments are vulnerable to this DoS. Both upstream security and Rails staff are advising users to apply a patch immediately.

There are two patches available:
 - A monkey patch to be applied in every application by the user [1]
 - A draft 'normal' patch to be applied once against the Ruby standard library [2]

I suggest to apply the latter one in the ruby ebuilds.

[1]: http://weblog.rubyonrails.com/2008/8/23/dos-vulnerabilities-in-rexml
[2]: http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/18414
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-29 00:50:47 UTC 
ruby team, please bump as necessary.
Comment 2 Hans de Graaff gentoo-dev Security 2008-08-29 06:26:07 UTC 
ruby-1.8.6_p287-r1 has this patch applied and is currently in CVS. I'll evaluate stabilizing this weekend, along with the other open ruby security bugs.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-30 12:53:51 UTC 
We'll handle stabling on bug 225465 as soon as appropriate.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-09-10 15:02:48 UTC 
Hans, do I understand correctly we need to bump rails to 2.0.4 / 2.1.1 so it can actually use the entity limit?
http://weblog.rubyonrails.org/2008/9/5/rails-2-1-1-lots-of-bug-fixes
Comment 5 Hans de Graaff gentoo-dev Security 2008-09-11 05:21:56 UTC 
My understanding is that these versions of Rails contain a monkey patch for fix the REXML problem. We already have this fixed in ruby 1.8.6_p287-r1, so the monkey patch in these rails versions won't have any effect.
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-13 16:58:31 UTC 
Updating whiteboard, fixed packages have been in the tree for some time already (see 225465).
Security should vote on sending a GLSA or simply combining this issue with above mentioned other bug.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-13 18:44:55 UTC 
Combining with the above mentioned bug since we already have a request for that in the pool.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-16 21:10:51 UTC 
GLSA 200812-17, thanks everyone, sorry about the delay.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-10-10 20:40:41 UTC 
This issue was resolved and addressed in
 GLSA 201110-02 at http://security.gentoo.org/glsa/glsa-201110-02.xml
by GLSA coordinator Alex Legler (a3li).