Bug 808137 - (CVE-2013-1821) VUL-1: CVE-2013-1821: ruby: entity expansion DoS vulnerability in REXML
(CVE-2013-1821)
VUL-1: CVE-2013-1821: ruby: entity expansion DoS vulnerability in REXML
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle10-sp4:51330 maint...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-07 17:40 UTC by Matthias Weckbecker
Modified: 2014-06-25 17:05 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
x.rb (111 bytes, text/plain)
2013-04-02 11:14 UTC, Marcus Meissner
Details
rexml-bomb.xml (300 bytes, text/plain)
2013-04-02 11:14 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2013-03-07 17:40:54 UTC
Quoted from [1]:

 "When reading text nodes from an XML document, the REXML parser can be coerced
  in to allocating extremely large string objects which can consume all of the
  memory on a machine, causing a denial of service.

  Impacted code will look something like this:

  document = REXML::Document.new some_xml_doc
  document.root.text

  When the `text` method is called, entities will be expanded. An attacker can
  send a relatively small XML document that, when the entities are resolved,
  will consume extreme amounts of memory on the target system.

  Note that this attack is similar to, but different from the Billion Laughs
  attack. This is also related to CVE-2013-1664 of Python.

  All users running an affected release should either upgrade or use one of the
  work arounds immediately."

[1] http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/
Comment 1 Marcus Rückert 2013-03-07 23:29:45 UTC
is that a different bug than 807044
Comment 2 Thomas Biege 2013-03-08 15:12:42 UTC
If bnc#807044 is related to bnc#803342, then this bug is something different/new.
Comment 3 Matthias Weckbecker 2013-03-11 10:31:15 UTC
(In reply to comment #1)
> is that a different bug than 807044

This can IIRC be considered a different flaw, yes.
Comment 4 Marcus Meissner 2013-03-13 12:02:55 UTC
(reproducer)

Date: Thu, 21 Feb 2013 22:44:40 -0700
From: Kurt Seifried <kseifried@redhat.com>
Subject: [oss-security] CVEs for libxml2 and expat internal and external XML
entity expansion


So here are the CVE's for the two big ones, libxml2 and expat. Both
are affected by the expansion of internal entities (which can be used
to consume resources) and external entities (which can cause a denial
of service against other services, be used to port scan, etc.).

To be clear:

====================
Internal entity expansion refers to the exponential/quadratic/fast
linear expansion of XML entities, e.g.:
====================
<!DOCTYPE xmlbomb [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;">
]>
<bomb>&d;</bomb>

or

<!DOCTYPE bomb [
<!ENTITY a "xxxxxxx... a couple of ten thousand chars">
]>
<bomb>&a;&a;&a;... repeat</bomb>

Which causes resources to be consumed



====================
External entity expansion refers to the loading of external resources
such as XML entities from another server or a local file:
====================
<!DOCTYPE external [
<!ENTITY ee SYSTEM "http://www.example.org/some.xml">
]>
<root>&ee;</root>


<!DOCTYPE external [
<!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml">
]>
<root>&ee;</root>

Which can cause resources to be consumed or can result in port
scanning /application scanning information being sent to the attacker.
scanning /application scanning information being sent to the attacker.
Comment 5 Marcus Rückert 2013-03-25 16:42:56 UTC
sle 10 submitted created request id 25202
Comment 6 Marcus Rückert 2013-03-25 17:03:25 UTC
sle 10 sp3 created request id 25205
Comment 7 Marcus Rückert 2013-03-25 17:23:41 UTC
sle 11 created request id 25206
Comment 8 Marcus Rückert 2013-03-26 10:46:41 UTC
opensuse: mr 161151
Comment 9 Bernhard Wiedemann 2013-03-28 14:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (808137) was mentioned in
https://build.opensuse.org/request/show/161615 Evergreen:11.2 / ruby
Comment 10 Marcus Meissner 2013-04-02 11:14:05 UTC
Created attachment 533031 [details]
x.rb

ruby sample reproducer code
Comment 11 Marcus Meissner 2013-04-02 11:14:30 UTC
Created attachment 533032 [details]
rexml-bomb.xml

sample rexml-bomb.xml file
Comment 12 Marcus Meissner 2013-04-02 11:15:05 UTC
save both files

ruby x.rb

Something like this should be printed after update:

/usr/lib64/ruby/1.9.1/rexml/text.rb:387:in `block in unnormalize': entity expansion has grown too large (RuntimeError)
Comment 13 Sebastian Krahmer 2013-04-03 14:20:40 UTC
released
Comment 14 Swamp Workflow Management 2013-04-03 14:26:27 UTC
Update released for: ruby, ruby-debuginfo, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 15 Swamp Workflow Management 2013-04-03 16:05:20 UTC
openSUSE-SU-2013:0603-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 803342,808137
CVE References: CVE-2013-0269,CVE-2013-1821
Sources used:
openSUSE 12.3 (src):    ruby-1.9.3-15.2.1, ruby19-1.9.3.p392-1.5.2
openSUSE 12.2 (src):    ruby-1.9.3-2.4.1, ruby19-1.9.3.p392-3.22.1
openSUSE 12.1 (src):    ruby-1.8.7.p357-2.10.1
Comment 16 Swamp Workflow Management 2013-04-03 18:13:15 UTC
openSUSE-SU-2013:0614-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 808137
CVE References: CVE-2013-1821
Sources used:
openSUSE 11.4 (src):    ruby-1.8.7.p357-0.32.1
Comment 17 Bernhard Wiedemann 2013-04-05 14:01:05 UTC
This is an autogenerated message for OBS integration:
This bug (808137) was mentioned in
https://build.opensuse.org/request/show/162841 Evergreen:11.2 / ruby
Comment 18 Marcus Meissner 2014-04-11 16:06:49 UTC
the bug is unfixed for SLE 11, as SR 25206 got declined, and never fixed submitted.

 25206  State:declined   By:babelworx    When:2013-03-26T15:28:38
        submit:          home:darix:ruby-rexml/ruby.SUSE_SLE-11-SP1_Update_Test  -> SUSE:SLE-11-SP1:Update:Test/ruby
        Review by Group      is accepted:  legal-auto(licensedigger)                         
        Review by Group      is accepted:  maintenance-team(leonardocf)                      
        Review by Group      is declined:  legal-team(babelworx)                             
        From: review(darix) -> review(licensedigger)
        Descr: rexml fixes
        Comment: Correct license is "Ruby", not "GPL v2 or later" 


Can you please submit a fixed ruby package :/
Comment 20 Swamp Workflow Management 2014-04-15 08:53:34 UTC
The SWAMPID for this issue is 57029.
This issue was rated as moderate.
Please submit fixed packages until 2014-04-29.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 21 SMASH SMASH 2014-04-15 08:55:16 UTC
Affected packages:

SLE-11-SP3: ruby
SLE-11-SP1: ruby
Comment 22 Marcus Meissner 2014-05-20 16:25:14 UTC
released
Comment 23 Swamp Workflow Management 2014-05-20 19:05:33 UTC
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 24 Swamp Workflow Management 2014-05-20 23:54:47 UTC
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 25 Swamp Workflow Management 2014-05-21 03:05:03 UTC
SUSE-SU-2014:0689-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 808137
CVE References: CVE-2013-1821
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    ruby-1.8.7.p357-0.9.15.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    ruby-1.8.7.p357-0.9.15.1
SUSE Linux Enterprise Server 11 SP3 (src):    ruby-1.8.7.p357-0.9.15.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    ruby-1.8.7.p357-0.9.15.1
Comment 26 Swamp Workflow Management 2014-06-25 13:47:50 UTC
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 27 Swamp Workflow Management 2014-06-25 13:49:12 UTC
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk
Products:
SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64)
SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
Comment 28 Swamp Workflow Management 2014-06-25 17:04:28 UTC
SUSE-SU-2014:0843-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 808137,827265,851803
CVE References: CVE-2013-1821,CVE-2013-4073,CVE-2013-4164
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    ruby-1.8.7.p357-0.9.15.6
Comment 29 Swamp Workflow Management 2014-06-25 17:05:22 UTC
SUSE-SU-2014:0844-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 783525,808137,827265,851803
CVE References: CVE-2012-4481,CVE-2013-1821,CVE-2013-4073,CVE-2013-4164
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    ruby-1.8.7.p357-0.9.15.6