Control: tags -1 + patch Hi
Attached is a proposed debdiff, based also on the changes done for ruby1.9.1. But there is one thing which might be sorted out first: The binary debdiff shows: ----cut---------cut---------cut---------cut---------cut---------cut----- ri1.8: [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .deb but not in first ------------------------------------- -rw-r--r-- root/root /usr/share/ri/1.8/system/IRB/Context/_set_last_value-i.yaml -rw-r--r-- root/root /usr/share/ri/1.8/system/IRB/WorkSpace/__evaluate__-i.yaml -rw-r--r-- root/root /usr/share/ri/1.8/system/REXML/Document/entity_expansion_text_limit%3d-c.yaml -rw-r--r-- root/root /usr/share/ri/1.8/system/REXML/Document/entity_expansion_text_limit-c.yaml -rw-r--r-- root/root /usr/share/ri/1.8/system/REXML/Text/expand-c.yaml Files in first .deb but not in second ------------------------------------- -rw-r--r-- root/root /usr/share/ri/1.8/system/RSS/Rss/Channel/Item/_setup_maker_element-i.yaml ----cut---------cut---------cut---------cut---------cut---------cut----- Regards, Salvatore
diff -Nru ruby1.8-1.8.7.358/debian/changelog ruby1.8-1.8.7.358/debian/changelog --- ruby1.8-1.8.7.358/debian/changelog 2012-11-01 01:20:28.000000000 +0100 +++ ruby1.8-1.8.7.358/debian/changelog 2013-03-09 13:39:28.000000000 +0100 @@ -1,3 +1,14 @@ +ruby1.8 (1.8.7.358-6.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-1821.patch patch. + CVE-2013-1821: Fix entity expansion DoS vulnerability in REXML. When + reading text nodes from an XML document, the REXML parser could be + coerced into allocating extremely large string objects which could + consume all available memory on the system. (Closes: #702526) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 09 Mar 2013 08:05:35 +0100 + ruby1.8 (1.8.7.358-6) unstable; urgency=high * Timeout the execution of the tests after 2 hours. This should fix the diff -Nru ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch --- ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch 2013-03-09 13:39:28.000000000 +0100 @@ -0,0 +1,120 @@ +Description: Fix entity expansion DoS vulnerability in REXML + CVE-2013-1821 +Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=39384&view=patch +Bug-Debian: http://bugs.debian.org/702526 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-03-09 + +--- a/lib/rexml/document.rb ++++ b/lib/rexml/document.rb +@@ -214,6 +214,18 @@ + return @@entity_expansion_limit + end + ++ @@entity_expansion_text_limit = 10_240 ++ ++ # Set the entity expansion limit. By default the limit is set to 10240. ++ def Document::entity_expansion_text_limit=( val ) ++ @@entity_expansion_text_limit = val ++ end ++ ++ # Get the entity expansion limit. By default the limit is set to 10000. ++ def Document::entity_expansion_text_limit ++ return @@entity_expansion_text_limit ++ end ++ + attr_reader :entity_expansion_count + + def record_entity_expansion +--- a/test/rexml/test_document.rb ++++ b/test/rexml/test_document.rb +@@ -63,4 +63,23 @@ + ensure + REXML::Document.entity_expansion_limit = 10000 + end ++ ++ def test_entity_string_limit ++ template = '<!DOCTYPE bomb [ <!ENTITY a "^" > ]> <bomb>$</bomb>' ++ len = 5120 # 5k per entity ++ template.sub!(/\^/, "B" * len) ++ ++ # 10k is OK ++ entities = '&a;' * 2 # 5k entity * 2 = 10k ++ xmldoc = REXML::Document.new(template.sub(/\$/, entities)) ++ assert_equal(len * 2, xmldoc.root.text.bytesize) ++ ++ # above 10k explodes ++ entities = '&a;' * 3 # 5k entity * 2 = 15k ++ xmldoc = REXML::Document.new(template.sub(/\$/, entities)) ++ assert_raises(RuntimeError) do ++ xmldoc.root.text ++ end ++ end ++ + end +--- a/lib/rexml/text.rb ++++ b/lib/rexml/text.rb +@@ -308,37 +308,35 @@ + + # Unescapes all possible entities + def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil ) +- rv = string.clone +- rv.gsub!( /\r\n?/, "\n" ) +- matches = rv.scan( REFERENCE ) +- return rv if matches.size == 0 +- rv.gsub!( NUMERICENTITY ) {|m| +- m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ sum = 0 ++ string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) { ++ s = Text.expand($&, doctype, filter) ++ if sum + s.bytesize > Document.entity_expansion_text_limit ++ raise "entity expansion has grown too large" ++ else ++ sum += s.bytesize ++ end ++ s + } +- matches.collect!{|x|x[0]}.compact! +- if matches.size > 0 +- if doctype +- matches.each do |entity_reference| +- unless filter and filter.include?(entity_reference) +- entity_value = doctype.entity( entity_reference ) +- re = /&#{entity_reference};/ +- rv.gsub!( re, entity_value ) if entity_value +- end +- end ++ end ++ ++ def Text.expand(ref, doctype, filter) ++ if ref[1] == ?# ++ if ref[2] == ?x ++ [ref[3...-1].to_i(16)].pack('U*') + else +- matches.each do |entity_reference| +- unless filter and filter.include?(entity_reference) +- entity_value = DocType::DEFAULT_ENTITIES[ entity_reference ] +- re = /&#{entity_reference};/ +- rv.gsub!( re, entity_value.value ) if entity_value +- end +- end ++ [ref[2...-1].to_i].pack('U*') + end +- rv.gsub!( /&/, '&' ) ++ elsif ref == '&' ++ '&' ++ elsif filter and filter.include?( ref[1...-1] ) ++ ref ++ elsif doctype ++ doctype.entity( ref[1...-1] ) or ref ++ else ++ entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ] ++ entity_value ? entity_value.value : ref + end +- rv + end + end + end diff -Nru ruby1.8-1.8.7.358/debian/patches/series ruby1.8-1.8.7.358/debian/patches/series --- ruby1.8-1.8.7.358/debian/patches/series 2012-10-15 00:43:03.000000000 +0200 +++ ruby1.8-1.8.7.358/debian/patches/series 2013-03-09 13:39:28.000000000 +0100 @@ -14,3 +14,4 @@ tcltk-no-rpath.patch use-ldflags.patch CVE-2012-4481.patch +CVE-2013-1821.patch
