Red Hat Bugzilla – Bug 1159927
CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080
Last modified: 2018-06-29 18:02:48 EDT
The CVE-2014-8080 (tracked via bug 1157709) was assigned to a "billion laughs" issue affecting the Ruby REXML XML parser. The issue affected expansion of parameter entities, making it possible for a small XML document to cause the parser to use excessive amount of CPU and memory while parsing. The upstream patch for CVE-2014-8080 introduced checks against the REXML.entity_expansion_text_limit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entity_expansion_limit. As a consequence, even with the patch applied, a small XML document could cause REXML to use an excessive amount of CPU time. High memory usage can be achieved using larger inputs. Note that similar issues were fixing in REXML in the past for general entities - see bug 460134 (CVE-2008-3790) or bug 914716 (CVE-2013-1821). Acknowledgement: This issue was discovered by Red Hat Product Security.
Created attachment 953157 [details] Upstream fix
External References: https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/
Fixed upstream in 1.9.3p551, 2.0.0p598, and 2.1.5. Upstream commit: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48402
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/ Red Hat JBoss SOA Platform 5 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes; and Red Hat JBoss SOA Platform 4.3 is now in Extended Life Support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1911 https://rhn.redhat.com/errata/RHSA-2014-1911.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2014:1914 https://rhn.redhat.com/errata/RHSA-2014-1914.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2014:1913 https://rhn.redhat.com/errata/RHSA-2014-1913.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1912 https://rhn.redhat.com/errata/RHSA-2014-1912.html
JRuby was fixed upstream in 1.7.16.2: http://jruby.org/2014/12/08/jruby-1-7-16-2.html
Created jruby tracking bugs for this issue: Affects: fedora-all [bug 1542174] Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1542175]
(In reply to Kurt Seifried from comment #17) > Created ruby tracking bugs for this issue: > > Affects: fedora-all [bug 1542175] Pardon me, but what is this? Does the problem reappeared in Ruby 2.5?