Bugzilla – Bug 808137
VUL-1: CVE-2013-1821: ruby: entity expansion DoS vulnerability in REXML
Last modified: 2014-06-25 17:05:22 UTC
Quoted from [1]: "When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service. Impacted code will look something like this: document = REXML::Document.new some_xml_doc document.root.text When the `text` method is called, entities will be expanded. An attacker can send a relatively small XML document that, when the entities are resolved, will consume extreme amounts of memory on the target system. Note that this attack is similar to, but different from the Billion Laughs attack. This is also related to CVE-2013-1664 of Python. All users running an affected release should either upgrade or use one of the work arounds immediately." [1] http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/
is that a different bug than 807044
If bnc#807044 is related to bnc#803342, then this bug is something different/new.
(In reply to comment #1) > is that a different bug than 807044 This can IIRC be considered a different flaw, yes.
(reproducer) Date: Thu, 21 Feb 2013 22:44:40 -0700 From: Kurt Seifried <kseifried@redhat.com> Subject: [oss-security] CVEs for libxml2 and expat internal and external XML entity expansion So here are the CVE's for the two big ones, libxml2 and expat. Both are affected by the expansion of internal entities (which can be used to consume resources) and external entities (which can cause a denial of service against other services, be used to port scan, etc.). To be clear: ==================== Internal entity expansion refers to the exponential/quadratic/fast linear expansion of XML entities, e.g.: ==================== <!DOCTYPE xmlbomb [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;"> <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;"> ]> <bomb>&d;</bomb> or <!DOCTYPE bomb [ <!ENTITY a "xxxxxxx... a couple of ten thousand chars"> ]> <bomb>&a;&a;&a;... repeat</bomb> Which causes resources to be consumed ==================== External entity expansion refers to the loading of external resources such as XML entities from another server or a local file: ==================== <!DOCTYPE external [ <!ENTITY ee SYSTEM "http://www.example.org/some.xml"> ]> <root>ⅇ</root> <!DOCTYPE external [ <!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml"> ]> <root>ⅇ</root> Which can cause resources to be consumed or can result in port scanning /application scanning information being sent to the attacker. scanning /application scanning information being sent to the attacker.
sle 10 submitted created request id 25202
sle 10 sp3 created request id 25205
sle 11 created request id 25206
opensuse: mr 161151
This is an autogenerated message for OBS integration: This bug (808137) was mentioned in https://build.opensuse.org/request/show/161615 Evergreen:11.2 / ruby
Created attachment 533031 [details] x.rb ruby sample reproducer code
Created attachment 533032 [details] rexml-bomb.xml sample rexml-bomb.xml file
save both files ruby x.rb Something like this should be printed after update: /usr/lib64/ruby/1.9.1/rexml/text.rb:387:in `block in unnormalize': entity expansion has grown too large (RuntimeError)
released
Update released for: ruby, ruby-debuginfo, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
openSUSE-SU-2013:0603-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 803342,808137 CVE References: CVE-2013-0269,CVE-2013-1821 Sources used: openSUSE 12.3 (src): ruby-1.9.3-15.2.1, ruby19-1.9.3.p392-1.5.2 openSUSE 12.2 (src): ruby-1.9.3-2.4.1, ruby19-1.9.3.p392-3.22.1 openSUSE 12.1 (src): ruby-1.8.7.p357-2.10.1
openSUSE-SU-2013:0614-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 808137 CVE References: CVE-2013-1821 Sources used: openSUSE 11.4 (src): ruby-1.8.7.p357-0.32.1
This is an autogenerated message for OBS integration: This bug (808137) was mentioned in https://build.opensuse.org/request/show/162841 Evergreen:11.2 / ruby
the bug is unfixed for SLE 11, as SR 25206 got declined, and never fixed submitted. 25206 State:declined By:babelworx When:2013-03-26T15:28:38 submit: home:darix:ruby-rexml/ruby.SUSE_SLE-11-SP1_Update_Test -> SUSE:SLE-11-SP1:Update:Test/ruby Review by Group is accepted: legal-auto(licensedigger) Review by Group is accepted: maintenance-team(leonardocf) Review by Group is declined: legal-team(babelworx) From: review(darix) -> review(licensedigger) Descr: rexml fixes Comment: Correct license is "Ruby", not "GPL v2 or later" Can you please submit a fixed ruby package :/
The SWAMPID for this issue is 57029. This issue was rated as moderate. Please submit fixed packages until 2014-04-29. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Affected packages: SLE-11-SP3: ruby SLE-11-SP1: ruby
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0689-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 808137 CVE References: CVE-2013-1821 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): ruby-1.8.7.p357-0.9.15.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): ruby-1.8.7.p357-0.9.15.1 SUSE Linux Enterprise Server 11 SP3 (src): ruby-1.8.7.p357-0.9.15.1 SUSE Linux Enterprise Desktop 11 SP3 (src): ruby-1.8.7.p357-0.9.15.1
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk Products: SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64) SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk Products: SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64) SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
SUSE-SU-2014:0843-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 808137,827265,851803 CVE References: CVE-2013-1821,CVE-2013-4073,CVE-2013-4164 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): ruby-1.8.7.p357-0.9.15.6
SUSE-SU-2014:0844-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 783525,808137,827265,851803 CVE References: CVE-2012-4481,CVE-2013-1821,CVE-2013-4073,CVE-2013-4164 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): ruby-1.8.7.p357-0.9.15.6