Package: ruby1.9.1 / 1.9.3.194-8.1+deb7u5

CVE-2014-8080.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
Description: Fix CVE-2014-8080
Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48161
Forwarded: not-needed
Author: Alessandro Ghedini <ghedo@debian.org>
Last-Update: 2015-02-07

--- a/lib/rexml/entity.rb
+++ b/lib/rexml/entity.rb
@@ -138,8 +138,14 @@
         matches = @value.scan(PEREFERENCE_RE)
         rv = @value.clone
         if @parent
+          sum = 0
           matches.each do |entity_reference|
             entity_value = @parent.entity( entity_reference[0] )
+            if sum + entity_value.bytesize > Document.entity_expansion_text_limit
+              raise "entity expansion has grown too large"
+            else
+              sum += entity_value.bytesize
+            end
             rv.gsub!( /%#{entity_reference.join};/um, entity_value )
           end
         end
--- a/test/rexml/test_document.rb
+++ b/test/rexml/test_document.rb
@@ -47,6 +47,20 @@
 </member>
 EOF
 
+    XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF
+<!DOCTYPE root [
+  <!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.">
+  <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;">
+  <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;">
+  <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;">
+  <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;">
+  <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;">
+  <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;">
+  <!ENTITY test "test %g;">
+]>
+<cd></cd>
+EOF
+
   XML_WITH_4_ENTITY_EXPANSION = <<EOF
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE member [
@@ -83,6 +97,19 @@
     end
   ensure
     REXML::Document.entity_expansion_limit = 10000
+  end
+
+  def test_entity_expansion_limit_for_parameter_entity
+    assert_raise(REXML::ParseException) do
+      REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
+    end
+    REXML::Document.entity_expansion_limit = 100
+    assert_equal(100, REXML::Document.entity_expansion_limit)
+    assert_raise(REXML::ParseException) do
+      REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
+    end
+  ensure
+    REXML::Document.entity_expansion_limit = 10000
   end
 
   def test_tag_in_cdata_with_not_ascii_only_but_ascii8bit_encoding_source
--- a/test/rexml/test_entity.rb
+++ b/test/rexml/test_entity.rb
@@ -122,6 +122,22 @@
     end
   end
 
+  def test_entity_string_limit_for_parameter_entity
+    template = '<!DOCTYPE bomb [ <!ENTITY % a "^" > <!ENTITY bomb "$" > ]><root/>'
+    len      = 5120 # 5k per entity
+    template.sub!(/\^/, "B" * len)
+
+    # 10k is OK
+    entities = '%a;' * 2 # 5k entity * 2 = 10k
+    REXML::Document.new(template.sub(/\$/, entities))
+
+    # above 10k explodes
+    entities = '%a;' * 3 # 5k entity * 2 = 15k
+    assert_raises(REXML::ParseException) do
+      REXML::Document.new(template.sub(/\$/, entities))
+    end
+  end
+
   def test_raw
     source = '<!DOCTYPE foo [
 <!ENTITY ent "replace">