[rubygem-activesupport/f18] Fix for CVE-2013-1856.
Vít Ondruch
vondruch at fedoraproject.org
Thu Mar 21 11:15:58 UTC 2013
commit c69abecfba77850d0bdfc6e4b98c63fd6253dd81
Author: Vít Ondruch <vondruch at redhat.com>
Date: Thu Mar 21 12:15:40 2013 +0100
Fix for CVE-2013-1856.
...m-activesupport-3.2.13-CVE-2013-1856-jdom.patch | 120 ++++++++++++++++++++
rubygem-activesupport.spec | 10 ++-
2 files changed, 129 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-activesupport-3.2.13-CVE-2013-1856-jdom.patch b/rubygem-activesupport-3.2.13-CVE-2013-1856-jdom.patch
new file mode 100644
index 0000000..c7d7322
--- /dev/null
+++ b/rubygem-activesupport-3.2.13-CVE-2013-1856-jdom.patch
@@ -0,0 +1,120 @@
+From 6a3ca3601258e2c1a41a4297855c008f6ab87b44 Mon Sep 17 00:00:00 2001
+From: Ben Murphy <benmmurphy at gmail.com>
+Date: Fri, 8 Feb 2013 02:48:22 +0000
+Subject: [PATCH] JDOM XXE Protection
+
+Conflicts:
+ activesupport/test/xml_mini/jdom_engine_test.rb
+---
+ activesupport/lib/active_support/xml_mini/jdom.rb | 6 ++++
+ activesupport/test/fixtures/xml/jdom_doctype.dtd | 1 +
+ activesupport/test/fixtures/xml/jdom_entities.txt | 1 +
+ activesupport/test/fixtures/xml/jdom_include.txt | 1 +
+ activesupport/test/xml_mini/jdom_engine_test.rb | 39 +++++++++++++++++++++--
+ 5 files changed, 45 insertions(+), 3 deletions(-)
+ create mode 100644 activesupport/test/fixtures/xml/jdom_doctype.dtd
+ create mode 100644 activesupport/test/fixtures/xml/jdom_entities.txt
+ create mode 100644 activesupport/test/fixtures/xml/jdom_include.txt
+
+diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb
+index 6c222b8..8d23ce4 100644
+--- a/activesupport/lib/active_support/xml_mini/jdom.rb
++++ b/activesupport/lib/active_support/xml_mini/jdom.rb
+@@ -38,6 +38,12 @@ module ActiveSupport
+ {}
+ else
+ @dbf = DocumentBuilderFactory.new_instance
++ # secure processing of java xml
++ # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html
++ @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
++ @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false)
++ @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
++ @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true)
+ xml_string_reader = StringReader.new(data)
+ xml_input_source = InputSource.new(xml_string_reader)
+ doc = @dbf.new_document_builder.parse(xml_input_source)
+diff --git a/activesupport/test/fixtures/xml/jdom_doctype.dtd b/activesupport/test/fixtures/xml/jdom_doctype.dtd
+new file mode 100644
+index 0000000..8948049
+--- /dev/null
++++ b/activesupport/test/fixtures/xml/jdom_doctype.dtd
+@@ -0,0 +1 @@
++<!ENTITY a "external entity">
+diff --git a/activesupport/test/fixtures/xml/jdom_entities.txt b/activesupport/test/fixtures/xml/jdom_entities.txt
+new file mode 100644
+index 0000000..0337fda
+--- /dev/null
++++ b/activesupport/test/fixtures/xml/jdom_entities.txt
+@@ -0,0 +1 @@
++<!ENTITY a "hello">
+diff --git a/activesupport/test/fixtures/xml/jdom_include.txt b/activesupport/test/fixtures/xml/jdom_include.txt
+new file mode 100644
+index 0000000..239ca3a
+--- /dev/null
++++ b/activesupport/test/fixtures/xml/jdom_include.txt
+@@ -0,0 +1 @@
++include me
+diff --git a/activesupport/test/xml_mini/jdom_engine_test.rb b/activesupport/test/xml_mini/jdom_engine_test.rb
+index 7f809e7..ec81ada 100644
+--- a/activesupport/test/xml_mini/jdom_engine_test.rb
++++ b/activesupport/test/xml_mini/jdom_engine_test.rb
+@@ -3,9 +3,11 @@ if RUBY_PLATFORM =~ /java/
+ require 'active_support/xml_mini'
+ require 'active_support/core_ext/hash/conversions'
+
+- class JDOMEngineTest < Test::Unit::TestCase
++ class JDOMEngineTest < ActiveSupport::TestCase
+ include ActiveSupport
+
++ FILES_DIR = File.dirname(__FILE__) + '/../fixtures/xml'
++
+ def setup
+ @default_backend = XmlMini.backend
+ XmlMini.backend = 'JDOM'
+@@ -30,10 +32,41 @@ if RUBY_PLATFORM =~ /java/
+ assert_equal 'image/png', file.content_type
+ end
+
++ def test_not_allowed_to_expand_entities_to_files
++ attack_xml = <<-EOT
++ <!DOCTYPE member [
++ <!ENTITY a SYSTEM "file://#{FILES_DIR}/jdom_include.txt">
++ ]>
++ <member>x&a;</member>
++ EOT
++ assert_equal 'x', Hash.from_xml(attack_xml)["member"]
++ end
++
++ def test_not_allowed_to_expand_parameter_entities_to_files
++ attack_xml = <<-EOT
++ <!DOCTYPE member [
++ <!ENTITY % b SYSTEM "file://#{FILES_DIR}/jdom_entities.txt">
++ %b;
++ ]>
++ <member>x&a;</member>
++ EOT
++ assert_raise Java::OrgXmlSax::SAXParseException do
++ assert_equal 'x', Hash.from_xml(attack_xml)["member"]
++ end
++ end
++
++
++ def test_not_allowed_to_load_external_doctypes
++ attack_xml = <<-EOT
++ <!DOCTYPE member SYSTEM "file://#{FILES_DIR}/jdom_doctype.dtd">
++ <member>x&a;</member>
++ EOT
++ assert_equal 'x', Hash.from_xml(attack_xml)["member"]
++ end
++
+ def test_exception_thrown_on_expansion_attack
+- assert_raise NativeException do
++ assert_raise Java::OrgXmlSax::SAXParseException do
+ attack_xml = <<-EOT
+- <?xml version="1.0" encoding="UTF-8"?>
+ <!DOCTYPE member [
+ <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
+ <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
+--
+1.8.1.1
+
diff --git a/rubygem-activesupport.spec b/rubygem-activesupport.spec
index 0482671..f54f67d 100644
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@@ -7,7 +7,7 @@ Summary: Support and utility classes used by the Rails framework
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.2.8
-Release: 2%{?dist}
+Release: 3%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -39,6 +39,10 @@ Patch4: activesupport-add-bigdecimal-dependency.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=892870
Patch5: rubygem-activesupport-3.2.11-CVE-2013-0156-xml_parsing.patch
+# CVE-2013-1856
+# https://bugzilla.redhat.com/show_bug.cgi?id=921334
+Patch6: rubygem-activesupport-3.2.13-CVE-2013-1856-jdom.patch
+
Requires: ruby(rubygems)
Requires: ruby(abi) = %{rubyabi}
# Let's keep Requires and BuildRequires sorted alphabeticaly
@@ -80,6 +84,7 @@ pushd .%{gem_instdir}
%patch1 -p0
%patch2 -p0
%patch5 -p2
+%patch6 -p2
popd
pushd .%{gem_dir}
@@ -111,6 +116,9 @@ popd
%changelog
+* Thu Mar 21 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-3
+- Fix for CVE-2013-1856.
+
* Wed Jan 09 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-2
- Fix for CVE-2013-0156.
More information about the scm-commits
mailing list