Bug 905326 (CVE-2014-8090) - VUL-0: CVE-2014-8090: ruby: Another Denial Of Service XML Expansion
Summary: VUL-0: CVE-2014-8090: ruby: Another Denial Of Service XML Expansion
Status: RESOLVED FIXED
Alias: CVE-2014-8090
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-12-15
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp1:60109 maint...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-13 16:14 UTC by Johannes Segitz
Modified: 2015-03-05 08:07 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch for 1.9.3 (3.45 KB, patch)
2014-11-24 18:12 UTC, Jordi Massaguer 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-11-13 16:14:09 UTC 
Unrestricted entity expansion can lead to a DoS vulnerability in REXML.

100% CPU utilization can occur as a result of recursive expansion with an empty String. When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.

Sample code:
require 'rexml/document'
xml = <<XML
<!DOCTYPE root [
  # ENTITY expansion vector
]>
<cd></cd>
XML
p REXML::Document.new(xml)

Affected versions
- All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 551
- All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 598
- All ruby 2.1 versions prior to ruby 2.1.5
- prior to trunk revision 48402

References:
https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/
Comment 1 Swamp Workflow Management 2014-11-13 23:00:59 UTC 
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2014-11-17 13:41:36 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2014-12-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59699
Comment 3 Jordi Massaguer 2014-11-24 18:12:03 UTC 
commit for version 1.9.3 e70ce4c096e3d1557a9bb5b7e89a9bb613b0794c

see attachment.
Comment 4 Jordi Massaguer 2014-11-24 18:12:30 UTC 
Created attachment 614769 [details]
patch for 1.9.3
Comment 6 Bernhard Wiedemann 2014-11-25 21:00:22 UTC 
This is an autogenerated message for OBS integration:
This bug (905326) was mentioned in
https://build.opensuse.org/request/show/263042 12.3 / ruby19
https://build.opensuse.org/request/show/263043 13.1 / ruby19
Comment 7 Jordi Massaguer 2014-12-01 09:23:12 UTC 
blocked on https://fate.suse.com/317961
Comment 8 Swamp Workflow Management 2014-12-08 16:05:34 UTC 
openSUSE-SU-2014:1589-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 902851,905326
CVE References: CVE-2014-8080,CVE-2014-8090
Sources used:
openSUSE 13.1 (src):    ruby19-1.9.3.p448-2.8.1
openSUSE 12.3 (src):    ruby19-1.9.3.p392-1.21.1
Comment 11 Jordi Massaguer 2014-12-18 17:57:12 UTC 
assigning to security team. I've submitted the packages. Automatic comments should appear next.
Comment 13 Bernhard Wiedemann 2014-12-18 18:00:29 UTC 
This is an autogenerated message for OBS integration:
This bug (905326) was mentioned in
https://build.opensuse.org/request/show/265829 13.1 / ruby20
https://build.opensuse.org/request/show/265830 13.2 / ruby2.1
Comment 14 Swamp Workflow Management 2015-01-02 09:05:05 UTC 
openSUSE-SU-2015:0002-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 902851,905326
CVE References: CVE-2014-8080,CVE-2014-8090
Sources used:
openSUSE 13.1 (src):    ruby20-2.0.0.p247-3.19.1
Comment 15 Swamp Workflow Management 2015-01-02 09:08:55 UTC 
openSUSE-SU-2015:0007-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 902851,905326
CVE References: CVE-2014-8080,CVE-2014-8090
Sources used:
openSUSE 13.2 (src):    ruby2.1-2.1.3-4.1
Comment 16 Swamp Workflow Management 2015-01-20 15:05:11 UTC 
SUSE-SU-2015:0093-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 902851,905326
CVE References: CVE-2014-8080,CVE-2014-8090
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    ruby2.1-2.1.2-9.1
SUSE Linux Enterprise Server 12 (src):    ruby2.1-2.1.2-9.1
SUSE Linux Enterprise Desktop 12 (src):    ruby2.1-2.1.2-9.1
Comment 17 Swamp Workflow Management 2015-01-28 00:06:10 UTC 
SUSE-SU-2015:0157-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 902851,905326
CVE References: CVE-2014-8080,CVE-2014-8090
Sources used:
SUSE Studio Onsite 1.3 (src):    ruby19-1.9.3.p392-0.19.1
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    ruby-1.8.7.p357-0.9.17.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    ruby-1.8.7.p357-0.9.17.1
SUSE Linux Enterprise Server 11 SP3 (src):    ruby-1.8.7.p357-0.9.17.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    ruby-1.8.7.p357-0.9.17.1
Comment 18 Marcus Meissner 2015-03-05 08:07:08 UTC 
released