oss-sec mailing list archives

Re: CVE Request (ruby)

From: Pınar Yanardağ <pinar () pardus org tr>
Date: Tue, 26 Aug 2008 11:46:03 +0300

Jan Lieskovsky wrote On 25-08-2008 16:20:

Hello Steve,

   Ruby upstream has announced another security flaw
(DoS vulnerability in REXML module):

http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/

Test case available in part: "Impact".

Proposed preliminary fix: http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb

There is an ongoing discussion on comp.lang.ruby about announcing thisflaw more focused on Rails more than Ruby. [1] I am agree the majorityof vulnerable apps are Rails' but there is still no update for Ruby'sstandart library in 3 days, though.

[1]:http://groups.google.com/group/comp.lang.ruby/browse_thread/thread/19f69e8a081fc0d1/e138e014b74352ca?#e138e014b74352ca

Testing status: REXML parsing of provided *.xml file causes
                 100% cpu usage for about 1 and 1/4 minutes
                 (checked the ruby-1.8.5-5.5 case).

Could you please assign a CVE id for it?

Thank you in advance.

Kind regards
Jan iankko Lieskovsky
RH Security Response Team


Regards,

--
Pınar Yanardağ
http://pinguar.org

Current thread:

CVE Request (ruby) Jan Lieskovsky (Aug 25)
- Re: CVE Request (ruby) Pınar Yanardağ (Aug 26)
- Re: CVE Request (ruby) Steven M. Christey (Aug 26)