Bug#702870: marked as done (unblock: ruby1.8/1.8.7.358-7)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 12 Mar 2013 13:14:28 +0000
with message-id <de29f0b0cadbebb82d0ab7f03cf1cd04@mail.adsl.funky-badger.org>
and subject line Re: Bug#702870: unblock: ruby1.8/1.8.7.358-7
has caused the Debian Bug report #702870,
regarding unblock: ruby1.8/1.8.7.358-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
702870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702870
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: ruby1.8/1.8.7.358-7
• From: Lucas Nussbaum <lucas@debian.org>
• Date: Tue, 12 Mar 2013 11:20:19 +0100
• Message-id: <[🔎] 20130312102019.26230.3356.reportbug@grep>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ruby1.8

This fixes #702526 (CVE-2013-1821) with a patch from Salvatore
Bonaccorso. The patch is backported from the fix in Ruby 1.9 and
inspired by RedHat's own patch. Full diff below.

unblock ruby1.8/1.8.7.358-7


diff -Nru ruby1.8-1.8.7.358/debian/changelog ruby1.8-1.8.7.358/debian/changelog
--- ruby1.8-1.8.7.358/debian/changelog	2013-03-12 08:16:51.000000000 +0100
+++ ruby1.8-1.8.7.358/debian/changelog	2013-03-12 08:34:17.000000000 +0100
@@ -1,3 +1,17 @@
+ruby1.8 (1.8.7.358-7) unstable; urgency=high
+
+  [ Salvatore Bonaccorso ]
+  * Add CVE-2013-1821.patch patch.
+    CVE-2013-1821: Fix entity expansion DoS vulnerability in REXML. When
+    reading text nodes from an XML document, the REXML parser could be
+    coerced into allocating extremely large string objects which could
+    consume all available memory on the system. (Closes: #702526)
+
+  [ Lucas Nussbaum ]
+  * Reviewed and tested Salvatore's patch.
+
+ -- Lucas Nussbaum <lucas@debian.org>  Tue, 12 Mar 2013 08:34:11 +0100
+
 ruby1.8 (1.8.7.358-6) unstable; urgency=high
 
   * Timeout the execution of the tests after 2 hours. This should fix the
diff -Nru ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch
--- ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch	2013-03-12 08:32:40.000000000 +0100
@@ -0,0 +1,120 @@
+Description: Fix entity expansion DoS vulnerability in REXML
+ CVE-2013-1821
+Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=39384&view=patch
+Bug-Debian: http://bugs.debian.org/702526
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-03-09
+
+--- a/lib/rexml/document.rb
++++ b/lib/rexml/document.rb
+@@ -214,6 +214,18 @@
+       return @@entity_expansion_limit
+     end
+ 
++    @@entity_expansion_text_limit = 10_240
++
++    # Set the entity expansion limit. By default the limit is set to 10240.
++    def Document::entity_expansion_text_limit=( val )
++      @@entity_expansion_text_limit = val
++    end
++
++    # Get the entity expansion limit. By default the limit is set to 10000.
++    def Document::entity_expansion_text_limit
++      return @@entity_expansion_text_limit
++    end
++
+     attr_reader :entity_expansion_count
+     
+     def record_entity_expansion
+--- a/test/rexml/test_document.rb
++++ b/test/rexml/test_document.rb
+@@ -63,4 +63,23 @@
+   ensure
+     REXML::Document.entity_expansion_limit = 10000
+   end
++
++  def test_entity_string_limit
++    template = '<!DOCTYPE bomb [ <!ENTITY a "^" > ]> <bomb>$</bomb>'
++    len      = 5120 # 5k per entity
++    template.sub!(/\^/, "B" * len)
++
++    # 10k is OK
++    entities = '&a;' * 2 # 5k entity * 2 = 10k
++    xmldoc = REXML::Document.new(template.sub(/\$/, entities))
++    assert_equal(len * 2, xmldoc.root.text.bytesize)
++
++    # above 10k explodes
++    entities = '&a;' * 3 # 5k entity * 2 = 15k
++    xmldoc = REXML::Document.new(template.sub(/\$/, entities))
++    assert_raises(RuntimeError) do
++      xmldoc.root.text
++    end
++  end
++
+ end
+--- a/lib/rexml/text.rb
++++ b/lib/rexml/text.rb
+@@ -308,37 +308,35 @@
+ 
+     # Unescapes all possible entities
+     def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil )
+-      rv = string.clone
+-      rv.gsub!( /\r\n?/, "\n" )
+-      matches = rv.scan( REFERENCE )
+-      return rv if matches.size == 0
+-      rv.gsub!( NUMERICENTITY ) {|m|
+-        m=$1
+-        m = "0#{m}" if m[0] == ?x
+-        [Integer(m)].pack('U*')
++      sum = 0
++      string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
++        s = Text.expand($&, doctype, filter)
++        if sum + s.bytesize > Document.entity_expansion_text_limit
++          raise "entity expansion has grown too large"
++        else
++          sum += s.bytesize
++        end
++        s
+       }
+-      matches.collect!{|x|x[0]}.compact!
+-      if matches.size > 0
+-        if doctype
+-          matches.each do |entity_reference|
+-            unless filter and filter.include?(entity_reference)
+-              entity_value = doctype.entity( entity_reference )
+-              re = /&#{entity_reference};/
+-              rv.gsub!( re, entity_value ) if entity_value
+-            end
+-          end
++    end
++
++    def Text.expand(ref, doctype, filter)
++      if ref[1] == ?#
++        if ref[2] == ?x
++          [ref[3...-1].to_i(16)].pack('U*')
+         else
+-          matches.each do |entity_reference|
+-            unless filter and filter.include?(entity_reference)
+-              entity_value = DocType::DEFAULT_ENTITIES[ entity_reference ]
+-              re = /&#{entity_reference};/
+-              rv.gsub!( re, entity_value.value ) if entity_value
+-            end
+-          end
++          [ref[2...-1].to_i].pack('U*')
+         end
+-        rv.gsub!( /&amp;/, '&' )
++      elsif ref == '&amp;'
++        '&'
++      elsif filter and filter.include?( ref[1...-1] )
++        ref
++      elsif doctype
++        doctype.entity( ref[1...-1] ) or ref
++      else
++        entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ]
++        entity_value ? entity_value.value : ref
+       end
+-      rv
+     end
+   end
+ end
diff -Nru ruby1.8-1.8.7.358/debian/patches/series ruby1.8-1.8.7.358/debian/patches/series
--- ruby1.8-1.8.7.358/debian/patches/series	2013-03-12 08:16:51.000000000 +0100
+++ ruby1.8-1.8.7.358/debian/patches/series	2013-03-12 08:32:40.000000000 +0100
@@ -14,3 +14,4 @@
 tcltk-no-rpath.patch
 use-ldflags.patch
 CVE-2012-4481.patch
+CVE-2013-1821.patch

--- End Message ---

--- Begin Message ---

• To: Lucas Nussbaum <lucas@debian.org>, <702870-done@bugs.debian.org>
• Subject: Re: Bug#702870: unblock: ruby1.8/1.8.7.358-7
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Tue, 12 Mar 2013 13:14:28 +0000
• Message-id: <de29f0b0cadbebb82d0ab7f03cf1cd04@mail.adsl.funky-badger.org>
• In-reply-to: <[🔎] 20130312102019.26230.3356.reportbug@grep>
• References: <[🔎] 20130312102019.26230.3356.reportbug@grep>

On 12.03.2013 10:20, Lucas Nussbaum wrote:

Please unblock package ruby1.8

This fixes #702526 (CVE-2013-1821) with a patch from Salvatore
Bonaccorso. The patch is backported from the fix in Ruby 1.9 and
inspired by RedHat's own patch. Full diff below.

Unblocked; thanks.

Regards,

Adam

--- End Message ---