rpms/ruby/F-9 ruby-1.8.6-rexml-CVE-2008-3790.patch, NONE, 1.1 ruby.spec, 1.121, 1.122
Akira TAGOH
tagoh at fedoraproject.org
Wed Oct 8 13:53:08 UTC 2008
- Previous message: rpms/numpy/devel .cvsignore, 1.13, 1.14 numpy.spec, 1.25, 1.26 sources, 1.13, 1.14
- Next message: rpms/ruby/F-8 ruby-1.8.6-rexml-CVE-2008-3790.patch, NONE, 1.1 ruby.spec, 1.110, 1.111
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tagoh
Update of /cvs/pkgs/rpms/ruby/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14135
Modified Files:
ruby.spec
Added Files:
ruby-1.8.6-rexml-CVE-2008-3790.patch
Log Message:
* Wed Oct 8 2008 Akira TAGOH <tagoh at redhat.com> - 1.8.6.287-2
- CVE-2008-3790: DoS vulnerability in the REXML module.
ruby-1.8.6-rexml-CVE-2008-3790.patch:
--- NEW FILE ruby-1.8.6-rexml-CVE-2008-3790.patch ---
diff -pruN ruby-1.8.6-p287.orig/lib/rexml/document.rb ruby-1.8.6-p287/lib/rexml/document.rb
--- ruby-1.8.6-p287.orig/lib/rexml/document.rb 2007-11-04 13:50:15.000000000 +0900
+++ ruby-1.8.6-p287/lib/rexml/document.rb 2008-10-08 22:25:14.000000000 +0900
@@ -32,6 +32,7 @@ module REXML
# @param context if supplied, contains the context of the document;
# this should be a Hash.
def initialize( source = nil, context = {} )
+ @entity_expansion_count = 0
super()
@context = context
return if source.nil?
@@ -200,6 +201,27 @@ module REXML
Parsers::StreamParser.new( source, listener ).parse
end
+ @@entity_expansion_limit = 10_000
+
+ # Set the entity expansion limit. By defualt the limit is set to 10000.
+ def Document::entity_expansion_limit=( val )
+ @@entity_expansion_limit = val
+ end
+
+ # Get the entity expansion limit. By defualt the limit is set to 10000.
+ def Document::entity_expansion_limit
+ return @@entity_expansion_limit
+ end
+
+ attr_reader :entity_expansion_count
+
+ def record_entity_expansion
+ @entity_expansion_count += 1
+ if @entity_expansion_count > @@entity_expansion_limit
+ raise "number of entity expansions exceeded, processing aborted."
+ end
+ end
+
private
def build( source )
Parsers::TreeParser.new( source, self ).parse
diff -pruN ruby-1.8.6-p287.orig/lib/rexml/entity.rb ruby-1.8.6-p287/lib/rexml/entity.rb
--- ruby-1.8.6-p287.orig/lib/rexml/entity.rb 2007-07-28 11:46:08.000000000 +0900
+++ ruby-1.8.6-p287/lib/rexml/entity.rb 2008-10-08 22:25:14.000000000 +0900
@@ -73,6 +73,7 @@ module REXML
# all entities -- both %ent; and &ent; entities. This differs from
# +value()+ in that +value+ only replaces %ent; entities.
def unnormalized
+ document.record_entity_expansion
v = value()
return nil if v.nil?
@unnormalized = Text::unnormalize(v, parent)
diff -pruN ruby-1.8.6-p287.orig/test/rexml/test_document.rb ruby-1.8.6-p287/test/rexml/test_document.rb
--- ruby-1.8.6-p287.orig/test/rexml/test_document.rb 1970-01-01 09:00:00.000000000 +0900
+++ ruby-1.8.6-p287/test/rexml/test_document.rb 2008-10-08 22:25:14.000000000 +0900
@@ -0,0 +1,42 @@
+require "rexml/document"
+require "test/unit"
+
+class REXML::TestDocument < Test::Unit::TestCase
+ def test_new
+ doc = REXML::Document.new(<<EOF)
+<?xml version="1.0" encoding="UTF-8"?>
+<message>Hello world!</message>
+EOF
+ assert_equal("Hello world!", doc.root.children.first.value)
+ end
+
+ XML_WITH_NESTED_ENTITY = <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE member [
+ <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
+ <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
+ <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
+ <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
+ <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
+ <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
+ <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
+]>
+<member>
+&a;
+</member>
+EOF
+
+ def test_entity_expansion_limit
+ doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
+ assert_raise(RuntimeError) do
+ doc.root.children.first.value
+ end
+ REXML::Document.entity_expansion_limit = 100
+ assert_equal(100, REXML::Document.entity_expansion_limit)
+ doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
+ assert_raise(RuntimeError) do
+ doc.root.children.first.value
+ end
+ assert_equal(101, doc.entity_expansion_count)
+ end
+end
Index: ruby.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ruby/F-9/ruby.spec,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -r1.121 -r1.122
--- ruby.spec 23 Aug 2008 09:05:21 -0000 1.121
+++ ruby.spec 8 Oct 2008 13:52:38 -0000 1.122
@@ -12,7 +12,7 @@
Name: ruby
Version: %{rubyver}%{?dotpatchlevel}
-Release: 1%{?dist}
+Release: 2%{?dist}
License: Ruby or GPLv2
URL: http://www.ruby-lang.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -36,6 +36,7 @@
Patch22: ruby-deprecated-search-path.patch
Patch23: ruby-multilib.patch
Patch25: ruby-1.8.6.111-gcc43.patch
+Patch26: ruby-1.8.6-rexml-CVE-2008-3790.patch
Summary: An interpreter of object-oriented scripting language
Group: Development/Languages
@@ -156,6 +157,7 @@
%patch23 -p1
%endif
%patch25 -p1
+%patch26 -p1
popd
%build
@@ -512,6 +514,9 @@
%endif
%changelog
+* Wed Oct 8 2008 Akira TAGOH <tagoh at redhat.com> - 1.8.6.287-2
+- CVE-2008-3790: DoS vulnerability in the REXML module.
+
* Sat Aug 23 2008 Akira TAGOH <tagoh at redhat.com> - 1.8.6.287-1
- New upstream release.
- Security fixes.
- Previous message: rpms/numpy/devel .cvsignore, 1.13, 1.14 numpy.spec, 1.25, 1.26 sources, 1.13, 1.14
- Next message: rpms/ruby/F-8 ruby-1.8.6-rexml-CVE-2008-3790.patch, NONE, 1.1 ruby.spec, 1.110, 1.111
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list