Control: tags -1 + patch Hi
I propose the attached patch applied from upstream's svn. I can do a NMU in case needed, but want first to have a second check on the resulting package. Regards, Salvatore
diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog --- ruby1.9.1-1.9.3.194/debian/changelog 2013-02-23 15:29:56.000000000 +0100 +++ ruby1.9.1-1.9.3.194/debian/changelog 2013-03-08 21:49:19.000000000 +0100 @@ -1,3 +1,14 @@ +ruby1.9.1 (1.9.3.194-8.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-1821.patch patch. + CVE-2013-1821: Fix entity expansion DoS vulnerability in REXML. When + reading text nodes from an XML document, the REXML parser could be + coerced into allocating extremely large string objects which could + consume all available memory on the system. (Closes: #702525) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 08 Mar 2013 21:48:20 +0100 + ruby1.9.1 (1.9.3.194-8) unstable; urgency=low * ruby1.9.1: add Breaks: apt-listbugs (<< 0.1.6) to avoid breaking the diff -Nru ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch --- ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch 2013-03-08 21:49:19.000000000 +0100 @@ -0,0 +1,110 @@ +Description: Fix entity expansion DoS vulnerability in REXML + CVE-2013-1821 +Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=39384&view=patch +Bug-Debian: http://bugs.debian.org/702525 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-03-08 +Applied-Upstream: yes + +--- a/lib/rexml/document.rb ++++ b/lib/rexml/document.rb +@@ -217,6 +217,18 @@ + return @@entity_expansion_limit + end + ++ @@entity_expansion_text_limit = 10_240 ++ ++ # Set the entity expansion limit. By default the limit is set to 10240. ++ def Document::entity_expansion_text_limit=( val ) ++ @@entity_expansion_text_limit = val ++ end ++ ++ # Get the entity expansion limit. By default the limit is set to 10000. ++ def Document::entity_expansion_text_limit ++ return @@entity_expansion_text_limit ++ end ++ + attr_reader :entity_expansion_count + + def record_entity_expansion +--- a/lib/rexml/text.rb ++++ b/lib/rexml/text.rb +@@ -380,25 +380,35 @@ + + # Unescapes all possible entities + def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil ) ++ sum = 0 + string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) { +- ref = $& +- if ref[1] == ?# +- if ref[2] == ?x +- [ref[3...-1].to_i(16)].pack('U*') +- else +- [ref[2...-1].to_i].pack('U*') +- end +- elsif ref == '&' +- '&' +- elsif filter and filter.include?( ref[1...-1] ) +- ref +- elsif doctype +- doctype.entity( ref[1...-1] ) or ref ++ s = Text.expand($&, doctype, filter) ++ if sum + s.bytesize > Document.entity_expansion_text_limit ++ raise "entity expansion has grown too large" + else +- entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ] +- entity_value ? entity_value.value : ref ++ sum += s.bytesize + end ++ s + } + end ++ ++ def Text.expand(ref, doctype, filter) ++ if ref[1] == ?# ++ if ref[2] == ?x ++ [ref[3...-1].to_i(16)].pack('U*') ++ else ++ [ref[2...-1].to_i].pack('U*') ++ end ++ elsif ref == '&' ++ '&' ++ elsif filter and filter.include?( ref[1...-1] ) ++ ref ++ elsif doctype ++ doctype.entity( ref[1...-1] ) or ref ++ else ++ entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ] ++ entity_value ? entity_value.value : ref ++ end ++ end + end + end +--- a/test/rexml/test_entity.rb ++++ b/test/rexml/test_entity.rb +@@ -104,6 +104,24 @@ + assert_equal source, out + end + ++ def test_entity_string_limit ++ template = '<!DOCTYPE bomb [ <!ENTITY a "^" > ]> <bomb>$</bomb>' ++ len = 5120 # 5k per entity ++ template.sub!(/\^/, "B" * len) ++ ++ # 10k is OK ++ entities = '&a;' * 2 # 5k entity * 2 = 10k ++ xmldoc = REXML::Document.new(template.sub(/\$/, entities)) ++ assert_equal(len * 2, xmldoc.root.text.bytesize) ++ ++ # above 10k explodes ++ entities = '&a;' * 3 # 5k entity * 2 = 15k ++ xmldoc = REXML::Document.new(template.sub(/\$/, entities)) ++ assert_raises(RuntimeError) do ++ xmldoc.root.text ++ end ++ end ++ + def test_raw + source = '<!DOCTYPE foo [ + <!ENTITY ent "replace"> diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series --- ruby1.9.1-1.9.3.194/debian/patches/series 2013-02-13 16:20:21.000000000 +0100 +++ ruby1.9.1-1.9.3.194/debian/patches/series 2013-03-08 21:49:19.000000000 +0100 @@ -21,3 +21,4 @@ 20121120-cve-2012-5371.diff CVE-2013-0256.patch CVE-2013-0269.patch +CVE-2013-1821.patch