Project

General

Profile

Actions

Bug #21344

closed

Segment Fault Caused by no Backported Patches

Added by tianstcht (Haotian Cheng) 3 months ago. Updated 3 months ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu]
[ruby-core:122136]

Description

In my local machine(3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu]), which is the default version in ubuntu2404, a segmentation fault can be stably triggered by the poc including malicious xml data.

The poc here:

require "rexml/document"
puts REXML::VERSION

def poc1(size)
    input = <<EOF
     <mydoc>
        <tt>#{'&' + '1'*size + '#x2F3F' + ' '}</tt>
    </mydoc>
EOF

    parser = REXML::Document.new input
end

poc1(8_999_999)

The issue has been fixed in this commit:
https://github.com/ruby/ruby/commit/b959263b58e26ef630c085f9f7ddc04373a998c7

But the fix haven't been backported to Ruby 3.2 and 3.3.

Based on the developer's response, I think the backporting may be needed so the issue built.

Updated by nobu (Nobuyoshi Nakada) 3 months ago

  • Status changed from Open to Closed
  • Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN to 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONTNEED

Close to mark for backport.

Updated by nagachika (Tomoyuki Chikanaga) 3 months ago

rexml is already bundled gems in ruby 3.2/3.3.
The users can use any versions of rexml specified with lock file.

Updated by nagachika (Tomoyuki Chikanaga) 3 months ago

Ah, I have misunderstood that the fix was on rexml.gem.

Updated by nagachika (Tomoyuki Chikanaga) 3 months ago

  • Backport changed from 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONTNEED to 3.2: REQUIRED, 3.3: DONE, 3.4: DONTNEED
Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0