Ruby upstream has reported a security vulnerability present in the Ruby REXML module. The REXML engine is vulnerable to the "XML entity explosion" attack. This issue could allow an attacker to cause a denial of service by attempting to parse a XML file with recursively nested entities via the Ruby XML files parsing engine (REXML). References: http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ http://groups.google.com/group/comp.lang.ruby/browse_thread/thread/19f69e8a081fc0d1/e138e014b74352ca?#e138e014b74352ca
Created attachment 314979 [details] Upstream PoC -- XML file with recursively nested entities
Created attachment 315334 [details] The Ruby core REXML module patch.
References (patches): 1, Monkey patch, to be applied on every application by the user http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb http://weblog.rubyonrails.com/2008/8/23/dos-vulnerabilities-in-rexml 2, Standard patch, to be applied to the Ruby core (REXML module) implementation http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/18414
ruby-1.8.6.287-2.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/ruby-1.8.6.287-2.fc8
ruby-1.8.6.287-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/ruby-1.8.6.287-2.fc9
ruby-1.8.6.287-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
ruby-1.8.6.287-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0897.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8736 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8738