Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 780498 (CVE-2021-28965) - <dev-ruby/rexml-3.2.4, <dev-lang/ruby-{2.5.9,2.6.7,2.7.3,3.0.1}: XML round-trip vulnerability (CVE-2021-28965)
Summary: <dev-ruby/rexml-3.2.4, <dev-lang/ruby-{2.5.9,2.6.7,2.7.3,3.0.1}: XML round-tr...
Status: IN_PROGRESS
Alias: CVE-2021-28965
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.ruby-lang.org/en/news/202...
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-06 05:14 UTC by Hans de Graaff
Modified: 2021-10-17 19:19 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/ruby-2.6.7-r2
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2021-04-06 05:14:02 UTC
There is an XML round-trip vulnerability in REXML gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2021-28965. We strongly recommend upgrading the REXML gem.
Details

When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.

Please update REXML gem to version 3.2.5 or later.

Affected versions

    Ruby 2.5.8 or prior (You can NOT use gem upgrade rexml for this version.)
    Ruby 2.6.7 or prior
    Ruby 2.7.2 or prior
    Ruby 3.0.1 or prior
    REXML gem 3.2.4 or prior
Comment 1 Larry the Git Cow gentoo-dev 2021-04-06 06:14:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb6c6805ad382db0062aa3b51dbba9992309d8b4

commit bb6c6805ad382db0062aa3b51dbba9992309d8b4
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-04-06 06:14:46 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-04-06 06:14:53 +0000

    dev-lang/ruby: add 2.5.7, 2.6.7, 2.7.3, 3.0.1
    
    Bug: https://bugs.gentoo.org/780498
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-lang/ruby/Manifest          |   4 +
 dev-lang/ruby/ruby-2.5.9.ebuild | 246 +++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-2.6.7.ebuild | 259 +++++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-2.7.3.ebuild | 263 +++++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-3.0.1.ebuild | 264 ++++++++++++++++++++++++++++++++++++++++
 5 files changed, 1036 insertions(+)
Comment 2 Hans de Graaff gentoo-dev 2021-04-06 06:16:28 UTC
dev-ruby/rexml-3.2.5 has also been added.

I'd like to wait a couple days before starting stabling the dev-lang/ruby versions since we introduced some other changes in the previous revisions that still need some investigation.
Comment 3 John Helmert III gentoo-dev Security 2021-04-06 12:54:49 UTC
(In reply to Hans de Graaff from comment #2)
> dev-ruby/rexml-3.2.5 has also been added.
> 
> I'd like to wait a couple days before starting stabling the dev-lang/ruby
> versions since we introduced some other changes in the previous revisions
> that still need some investigation.

Thanks!
Comment 4 Sam James archtester gentoo-dev Security 2021-05-06 05:46:45 UTC
Ping
Comment 5 Sam James archtester gentoo-dev Security 2021-06-16 20:46:11 UTC
(In reply to Sam James from comment #4)
> Ping

ping
Comment 6 NATTkA bot gentoo-dev 2021-06-22 18:20:32 UTC Comment hidden (obsolete)
Comment 7 Hans de Graaff gentoo-dev 2021-06-23 05:45:06 UTC
The fixed ruby versions contain unrelated changes that break json in various cases. That needs to be fixed first before we can stable these versions.
Comment 8 Hans de Graaff gentoo-dev 2021-06-26 05:31:35 UTC
(In reply to Hans de Graaff from comment #7)
> The fixed ruby versions contain unrelated changes that break json in various
> cases. That needs to be fixed first before we can stable these versions.

Fixed versions are now in the tree. Let's give them a few days before stabling them.
Comment 9 Agostino Sarubbo gentoo-dev 2021-07-01 08:22:48 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2021-07-01 08:23:41 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2021-07-01 08:24:26 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2021-07-01 08:25:34 UTC
x86 stable
Comment 13 Rolf Eike Beer archtester 2021-07-01 20:10:15 UTC
hppa stable
Comment 14 Agostino Sarubbo gentoo-dev 2021-07-02 06:28:17 UTC
ppc64 stable
Comment 15 Sam James archtester gentoo-dev Security 2021-07-06 17:59:49 UTC
arm64 done
Comment 16 NATTkA bot gentoo-dev 2021-07-09 08:16:31 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2021-07-10 06:56:36 UTC Comment hidden (obsolete)
Comment 18 Sam James archtester gentoo-dev Security 2021-07-17 04:59:34 UTC
arm done

all arches done
Comment 19 Sam James archtester gentoo-dev Security 2021-07-17 05:01:25 UTC
Please cleanup, thanks!
Comment 20 Larry the Git Cow gentoo-dev 2021-07-18 08:46:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=915ad705bf194fb1a9ee62b699689fb83499a022

commit 915ad705bf194fb1a9ee62b699689fb83499a022
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-07-18 08:46:26 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-07-18 08:46:26 +0000

    dev-lang/ruby: cleanup vulnerable versions
    
    Bug: https://bugs.gentoo.org/780498
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-lang/ruby/Manifest             |   3 -
 dev-lang/ruby/ruby-2.6.6-r4.ebuild | 258 ------------------------------------
 dev-lang/ruby/ruby-2.7.2-r2.ebuild | 261 ------------------------------------
 dev-lang/ruby/ruby-2.7.2-r3.ebuild | 263 ------------------------------------
 dev-lang/ruby/ruby-3.0.0-r3.ebuild | 262 ------------------------------------
 dev-lang/ruby/ruby-3.0.0-r4.ebuild | 262 ------------------------------------
 dev-lang/ruby/ruby-3.0.0-r5.ebuild | 264 -------------------------------------
 7 files changed, 1573 deletions(-)
Comment 21 John Helmert III gentoo-dev Security 2021-07-18 15:43:26 UTC
Missed 2.5.8?
Comment 22 Hans de Graaff gentoo-dev 2021-07-20 04:54:14 UTC
(In reply to John Helmert III from comment #21)
> Missed 2.5.8?

Ruby 2.5 is already masked for removal.
Comment 23 NATTkA bot gentoo-dev 2021-07-24 09:28:27 UTC
Unable to check for sanity:

> no match for package: dev-lang/ruby-2.6.7-r2