Bug 2280894 (CVE-2024-35176)

Summary: CVE-2024-35176 REXML: DoS parsing an XML with many `<`s in an attribute value
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: caswilli, kaycoth, sthirugn, vkrizan, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: REXML 3.2.7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2282493, 2282494, 2282495    
Bug Blocks: 2280888    

Description Zack Miele 2024-05-16 20:52:33 UTC 
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.

https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176
Comment 1 Zack Miele 2024-05-22 12:59:58 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-39 [bug 2282493]
Affects: fedora-40 [bug 2282494]
Comment 3 errata-xmlrpc 2024-07-11 11:48:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4499 https://access.redhat.com/errata/RHSA-2024:4499
Comment 4 errata-xmlrpc 2024-08-13 18:36:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5338 https://access.redhat.com/errata/RHSA-2024:5338