Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 529216 (CVE-2014-8090)

Summary: <dev-lang/ruby-{1.9.3_p551,2.0.0_p598,2.1.5}: Denial Of Service XML Expansion (CVE-2014-8090)
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Hans de Graaff gentoo-dev Security 2014-11-14 06:41:23 UTC
Unrestricted entity expansion can lead to a DoS vulnerability in REXML, like “Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821)” and “CVE-2014-8080: Parameter Entity expansion DoS vulnerability in REXML”. This vulnerability has been assigned the CVE identifier CVE-2014-8090. We strongly recommend to upgrade Ruby.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-11-23 04:39:31 UTC
CVE-2014-8090 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8090):
  The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before
  2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to
  cause a denial of service (CPU and memory consumption) a crafted XML
  document containing an empty string in an entity that is used in a large
  number of nested entity references, aka an XML Entity Expansion (XEE)
  attack.  NOTE: this vulnerability exists because of an incomplete fix for
  CVE-2013-1821 and CVE-2014-8080.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-11-23 05:39:43 UTC
All versions mentioned are in the tree. Please advise when you are ready for stabilization.
Comment 3 Hans de Graaff gentoo-dev Security 2014-11-26 07:01:29 UTC
Please test and mark stable:

=dev-lang/ruby-1.9.3_p551
=dev-lang/ruby-2.0.0_p598
Comment 4 Agostino Sarubbo gentoo-dev 2014-11-26 14:31:50 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-11-26 14:32:06 UTC
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-26 16:59:13 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2014-11-28 14:02:22 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-11-28 14:02:39 UTC
ppc64 stable
Comment 9 Markus Meier gentoo-dev 2014-11-29 19:49:55 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-12-01 08:58:32 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-12-02 11:58:48 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-06 16:52:08 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Hans de Graaff gentoo-dev Security 2014-12-07 07:18:56 UTC
Cleanup done.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2014-12-07 18:59:18 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 19:24:24 UTC
This issue was resolved and addressed in
 GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml
by GLSA coordinator Sean Amoss (ackle).