Bug 10844

Summary: CVE-2013-1821: ruby - entity expansion DoS vulnerability in REXML
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: luigiwalser
Version: 2   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821
Whiteboard:
Source RPM: ruby CVE:
Status comment:

Description Oden Eriksson 2013-07-26 10:49:37 CEST 
Name: CVE-2013-1821
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[oss-security] 20130306 CVE for Ruby Entity expansion DoS
vulnerability in REXML (XML bomb)
Reference: URL:http://www.openwall.com/lists/oss-security/2013/03/06/5
Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702525
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=914716
Reference:
CONFIRM:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=39384
Reference:
CONFIRM:http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/
Reference: REDHAT:RHSA-2013:0611
Reference: URL:http://rhn.redhat.com/errata/RHSA-2013-0611.html
Reference: SLACKWARE:SSA:2013-075-01
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2013-03/0104.html
Reference: SUSE:openSUSE-SU-2013:0603
Reference: URL:http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html
Reference: SUSE:openSUSE-SU-2013:0614
Reference: URL:http://lists.opensuse.org/opensuse-updates/2013-04/msg00036.html
Reference: UBUNTU:USN-1780-1
Reference: URL:http://www.ubuntu.com/usn/USN-1780-1
Reference: SECUNIA:52783
Reference: URL:http://secunia.com/advisories/52783
Reference: SECUNIA:52902
Reference: URL:http://secunia.com/advisories/52902

lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows
remote attackers to cause a denial of service (memory consumption and
crash) via crafted text nodes in an XML document, aka an XML Entity
Expansion (XEE) attack.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-07-26 10:52:03 CEST 
NOTE: this is fixed in updates_testing/ruby-1.8.7.p358-1.3.mga2.src.rpm with:

ruby-2.0.0-add-missing-rexml-require.patch
ruby-2.0.0-entity-expansion-DoS-vulnerability-in-REXML.patch
Comment 2 Oden Eriksson 2013-07-26 10:58:35 CEST 
How I hate the mga rpm changelogs...

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 3 David Walser 2013-07-26 17:38:27 CEST 
Fixed in Bug 9300.

Oden, forget about the package changelogs.

Bugzilla has this nice search feature.

Go to the Search page, make sure you have Advanced Search selected (tab at top).

Under Status:, hold the Ctrl key and click on RESOLVED.

Then search for the package name you're interested in.

Almost all of the security bugs have the CVE(s) at the end of the bug name.

*** This bug has been marked as a duplicate of bug 9300 ***

CC: (none) => luigiwalser
Resolution: INVALID => DUPLICATE

Comment 4 David Walser 2013-07-26 17:43:33 CEST 
Note that you can also look at svnweb, which usually has the CVEs in the commit messages (not always in Cauldron, but almost always in stable).  For instance:
http://svnweb.mageia.org/packages/updates/2/ruby/current/SPECS/ruby.spec?view=log