oss-sec mailing list archives

CVE Request (ruby)

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 25 Aug 2008 15:20:31 +0200

Hello Steve,

  Ruby upstream has announced another security flaw
(DoS vulnerability in REXML module):

http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/

Test case available in part: "Impact".

Proposed preliminary fix: http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb

Testing status: REXML parsing of provided *.xml file causes
                100% cpu usage for about 1 and 1/4 minutes
                (checked the ruby-1.8.5-5.5 case).

Could you please assign a CVE id for it?

Thank you in advance.

Kind regards
Jan iankko Lieskovsky
RH Security Response Team

Current thread:

CVE Request (ruby) Jan Lieskovsky (Aug 25)
- Re: CVE Request (ruby) Pınar Yanardağ (Aug 26)
- Re: CVE Request (ruby) Steven M. Christey (Aug 26)