Bug#702525: ruby1.9.1: diff for NMU version 1.9.3.194-8.1

Fri, 08 Mar 2013 22:39:16 -0800 

tags 702525 + pending
thanks

Dear maintainer,

I've prepared an NMU for ruby1.9.1 (versioned as 1.9.3.194-8.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog
--- ruby1.9.1-1.9.3.194/debian/changelog	2013-02-23 15:29:56.000000000 +0100
+++ ruby1.9.1-1.9.3.194/debian/changelog	2013-03-08 21:49:19.000000000 +0100
@@ -1,3 +1,14 @@
+ruby1.9.1 (1.9.3.194-8.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add CVE-2013-1821.patch patch.
+    CVE-2013-1821: Fix entity expansion DoS vulnerability in REXML. When
+    reading text nodes from an XML document, the REXML parser could be
+    coerced into allocating extremely large string objects which could
+    consume all available memory on the system. (Closes: #702525)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Fri, 08 Mar 2013 21:48:20 +0100
+
 ruby1.9.1 (1.9.3.194-8) unstable; urgency=low
 
   * ruby1.9.1: add Breaks: apt-listbugs (<< 0.1.6) to avoid breaking the
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch
--- ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch	2013-03-08 21:49:19.000000000 +0100
@@ -0,0 +1,110 @@
+Description: Fix entity expansion DoS vulnerability in REXML
+ CVE-2013-1821
+Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=39384&view=patch
+Bug-Debian: http://bugs.debian.org/702525
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2013-03-08
+Applied-Upstream: yes
+
+--- a/lib/rexml/document.rb
++++ b/lib/rexml/document.rb
+@@ -217,6 +217,18 @@
+       return @@entity_expansion_limit
+     end
+ 
++    @@entity_expansion_text_limit = 10_240
++
++    # Set the entity expansion limit. By default the limit is set to 10240.
++    def Document::entity_expansion_text_limit=( val )
++      @@entity_expansion_text_limit = val
++    end
++
++    # Get the entity expansion limit. By default the limit is set to 10000.
++    def Document::entity_expansion_text_limit
++      return @@entity_expansion_text_limit
++    end
++
+     attr_reader :entity_expansion_count
+ 
+     def record_entity_expansion
+--- a/lib/rexml/text.rb
++++ b/lib/rexml/text.rb
+@@ -380,25 +380,35 @@
+ 
+     # Unescapes all possible entities
+     def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil )
++      sum = 0
+       string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
+-        ref = $&
+-        if ref[1] == ?#
+-          if ref[2] == ?x
+-            [ref[3...-1].to_i(16)].pack('U*')
+-          else
+-            [ref[2...-1].to_i].pack('U*')
+-          end
+-        elsif ref == '&amp;'
+-          '&'
+-        elsif filter and filter.include?( ref[1...-1] )
+-          ref
+-        elsif doctype
+-          doctype.entity( ref[1...-1] ) or ref
++        s = Text.expand($&, doctype, filter)
++        if sum + s.bytesize > Document.entity_expansion_text_limit
++          raise "entity expansion has grown too large"
+         else
+-          entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ]
+-          entity_value ? entity_value.value : ref
++          sum += s.bytesize
+         end
++        s
+       }
+     end
++
++    def Text.expand(ref, doctype, filter)
++      if ref[1] == ?#
++        if ref[2] == ?x
++          [ref[3...-1].to_i(16)].pack('U*')
++        else
++          [ref[2...-1].to_i].pack('U*')
++        end
++      elsif ref == '&amp;'
++        '&'
++      elsif filter and filter.include?( ref[1...-1] )
++        ref
++      elsif doctype
++        doctype.entity( ref[1...-1] ) or ref
++      else
++        entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ]
++        entity_value ? entity_value.value : ref
++      end
++    end
+   end
+ end
+--- a/test/rexml/test_entity.rb
++++ b/test/rexml/test_entity.rb
+@@ -104,6 +104,24 @@
+     assert_equal source, out
+   end
+ 
++  def test_entity_string_limit
++    template = '<!DOCTYPE bomb [ <!ENTITY a "^" > ]> <bomb>$</bomb>'
++    len      = 5120 # 5k per entity
++    template.sub!(/\^/, "B" * len)
++
++    # 10k is OK
++    entities = '&a;' * 2 # 5k entity * 2 = 10k
++    xmldoc = REXML::Document.new(template.sub(/\$/, entities))
++    assert_equal(len * 2, xmldoc.root.text.bytesize)
++
++    # above 10k explodes
++    entities = '&a;' * 3 # 5k entity * 2 = 15k
++    xmldoc = REXML::Document.new(template.sub(/\$/, entities))
++    assert_raises(RuntimeError) do
++      xmldoc.root.text
++    end
++  end
++
+   def test_raw
+     source = '<!DOCTYPE foo [
+ <!ENTITY ent "replace">
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series
--- ruby1.9.1-1.9.3.194/debian/patches/series	2013-02-13 16:20:21.000000000 +0100
+++ ruby1.9.1-1.9.3.194/debian/patches/series	2013-03-08 21:49:19.000000000 +0100
@@ -21,3 +21,4 @@
 20121120-cve-2012-5371.diff
 CVE-2013-0256.patch
 CVE-2013-0269.patch
+CVE-2013-1821.patch

Attachment: signature.asc
Description: Digital signature

Reply via email to