Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 236060 (CVE-2008-3790) - dev-lang/ruby <1.8.6_p287-r1 REXML DoS Vulnerability (CVE-2008-3790)
Summary: dev-lang/ruby <1.8.6_p287-r1 REXML DoS Vulnerability (CVE-2008-3790)
Status: RESOLVED FIXED
Alias: CVE-2008-3790
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.ruby-lang.org/en/news/2008...
Whiteboard: B3? [glsa]
Keywords:
Depends on: 225465
Blocks:
  Show dependency tree
 
Reported: 2008-08-28 20:11 UTC by Alex Legler (RETIRED)
Modified: 2011-10-10 20:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2008-08-28 20:11:48 UTC
The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion."


This issue is severe as especially but not exclusively most Rails deployments are vulnerable to this DoS. Both upstream security and Rails staff are advising users to apply a patch immediately.

There are two patches available:
 - A monkey patch to be applied in every application by the user [1]
 - A draft 'normal' patch to be applied once against the Ruby standard library [2]

I suggest to apply the latter one in the ruby ebuilds.

[1]: http://weblog.rubyonrails.com/2008/8/23/dos-vulnerabilities-in-rexml
[2]: http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/18414
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-29 00:50:47 UTC
ruby team, please bump as necessary.
Comment 2 Hans de Graaff gentoo-dev 2008-08-29 06:26:07 UTC
ruby-1.8.6_p287-r1 has this patch applied and is currently in CVS. I'll evaluate stabilizing this weekend, along with the other open ruby security bugs.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-30 12:53:51 UTC
We'll handle stabling on bug 225465 as soon as appropriate.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-09-10 15:02:48 UTC
Hans, do I understand correctly we need to bump rails to 2.0.4 / 2.1.1 so it can actually use the entity limit?
http://weblog.rubyonrails.org/2008/9/5/rails-2-1-1-lots-of-bug-fixes
Comment 5 Hans de Graaff gentoo-dev 2008-09-11 05:21:56 UTC
My understanding is that these versions of Rails contain a monkey patch for fix the REXML problem. We already have this fixed in ruby 1.8.6_p287-r1, so the monkey patch in these rails versions won't have any effect.
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-13 16:58:31 UTC
Updating whiteboard, fixed packages have been in the tree for some time already (see 225465).
Security should vote on sending a GLSA or simply combining this issue with above mentioned other bug.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-13 18:44:55 UTC
Combining with the above mentioned bug since we already have a request for that in the pool.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-16 21:10:51 UTC
GLSA 200812-17, thanks everyone, sorry about the delay.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-10-10 20:40:41 UTC
This issue was resolved and addressed in
 GLSA 201110-02 at http://security.gentoo.org/glsa/glsa-201110-02.xml
by GLSA coordinator Alex Legler (a3li).