Bug 1947526 (CVE-2021-28965)

Summary: CVE-2021-28965 ruby: XML round-trip vulnerability in REXML
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarol, dmetzger, gmccullo, gtanzill, hhorak, jfrey, jhardy, joe, jorton, jprokop, kaycoth, mo, mtasaka, obarenbo, pvalena, roliveri, ruby-maint, ruby-packagers-sig, simaishi, smallamp, s, strzibny, vanmeeuwen+fedora, vmugicag, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ruby 2.5.9, ruby 2.6.7, ruby 2.7.3, ruby 3.0.1, rubygem-rexml 3.2.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the Ruby REXML library parsed XML documents. Parsing a specially crafted XML document using REXML and writing parsed data back to a new XML document results in creating a document with a different structure. This issue could affect the integrity of processed data in applications using REXML that parse XML documents, write data back to XML, and re-parse them again.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-26 11:32:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1950949, 1947527, 1947528, 1947529, 1947530, 1950520, 1950521, 1950522, 1950523, 1950524, 1950525, 1950526, 1950527, 1954788, 1955057, 1956794, 1957118, 2055225, 2055235    
Bug Blocks: 1947531    

Description Guilherme de Almeida Suckevicz 2021-04-08 16:46:35 UTC
When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.

Reference:
https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/

Comment 1 Guilherme de Almeida Suckevicz 2021-04-08 16:47:13 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1947527]


Created ruby:2.6/ruby tracking bugs for this issue:

Affects: fedora-33 [bug 1947528]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-33 [bug 1947529]


Created ruby:master/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1947530]

Comment 2 Yadnyawalk Tale 2021-04-09 18:25:08 UTC
Red Hat CloudForms is in maintenance support 2 phase and we won't be fixing Low and Medium severity security issues. Please refer CloudForms updated Statement of Direction: https://access.redhat.com/articles/4639821

Comment 8 errata-xmlrpc 2021-05-25 13:14:19 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104

Comment 9 Product Security DevOps Team 2021-05-26 11:32:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28965

Comment 10 errata-xmlrpc 2021-06-03 11:25:16 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2229 https://access.redhat.com/errata/RHSA-2021:2229

Comment 11 errata-xmlrpc 2021-06-03 11:26:02 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230

Comment 12 errata-xmlrpc 2021-06-29 16:01:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2584 https://access.redhat.com/errata/RHSA-2021:2584

Comment 13 errata-xmlrpc 2021-06-29 16:03:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587

Comment 14 errata-xmlrpc 2021-06-29 16:04:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588

Comment 15 errata-xmlrpc 2022-02-21 10:11:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581

Comment 16 errata-xmlrpc 2022-02-21 10:12:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582