Description of problem: CVE-2008-3790 patch has a regression that parsing XML causes unexpected error. See Debian -> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502535 Ubuntu -> https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/291893 Version-Release number of selected component (if applicable): $ rpm -q ruby ruby-1.8.6.287-3.fc11.x86_64 How reproducible: Steps to Reproduce: $ ruby -r rexml/document -r open-uri -e 'REXML::Document.new(URI.parse("http://github.com/bioruby/bioruby/tree/master%2Ftest%2Fdata%2Fblast%2Fb0002.faa.m7?raw=true").read).root.each_element_with_text { |e| p e.name }' Actual results: "BlastOutput_program" "BlastOutput_version" /usr/lib/ruby/1.8/rexml/entity.rb:76:in `unnormalized': undefined method `record_entity_expansion' for nil:NilClass (NoMethodError) from /usr/lib/ruby/1.8/rexml/doctype.rb:135:in `entity' from /usr/lib/ruby/1.8/rexml/text.rb:325:in `unnormalize' from /usr/lib/ruby/1.8/rexml/text.rb:323:in `each' from /usr/lib/ruby/1.8/rexml/text.rb:323:in `unnormalize' from /usr/lib/ruby/1.8/rexml/text.rb:174:in `value' from /usr/lib/ruby/1.8/rexml/element.rb:452:in `text' from /usr/lib/ruby/1.8/rexml/element.rb:433:in `has_text?' from /usr/lib/ruby/1.8/rexml/element.rb:384:in `each_element_with_text' from /usr/lib/ruby/1.8/rexml/element.rb:709:in `call' from /usr/lib/ruby/1.8/rexml/element.rb:709:in `each_with_something' from /usr/lib/ruby/1.8/rexml/element.rb:891:in `each' from /usr/lib/ruby/1.8/rexml/xpath.rb:53:in `each' from /usr/lib/ruby/1.8/rexml/element.rb:891:in `each' from /usr/lib/ruby/1.8/rexml/element.rb:708:in `each_with_something' from /usr/lib/ruby/1.8/rexml/element.rb:388:in `each_element_with_text' from -e:1 Expected results: No error Additional info: Patch is attached on Debian bug (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502535)
Fixed in ruby-1.8.6.368, pending for updates-testing