[ruby-core:122136] [Ruby Bug#21344] Segment Fault Caused by no Backported Patches

Issue #21344 has been reported by tianstcht (Haotian Cheng). ---------------------------------------- Bug #21344: Segment Fault Caused by no Backported Patches https://bugs.ruby-lang.org/issues/21344 * Author: tianstcht (Haotian Cheng) * Status: Open * ruby -v: 3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu] * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- In my local machine(3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu]), which is the default version in ubuntu2404, a segmentation fault can be stably triggered by the poc including malicious xml data. The poc here: ```ruby require "rexml/document" puts REXML::VERSION def poc1(size) input = <<EOF <mydoc> <tt>#{'&' + '1'*size + '#x2F3F' + ' '}</tt> </mydoc> EOF parser = REXML::Document.new input end poc1(8_999_999) ``` The issue has been fixed in this commit: https://github.com/ruby/ruby/commit/b959263b58e26ef630c085f9f7ddc04373a998c7 But the fix haven't been backported to Ruby 3.2 and 3.3. Based on the developer's response, I think the backporting may be needed so the issue built. -- https://bugs.ruby-lang.org/

Issue #21344 has been updated by nobu (Nobuyoshi Nakada). Status changed from Open to Closed Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN to 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONTNEED Close to mark for backport. ---------------------------------------- Bug #21344: Segment Fault Caused by no Backported Patches https://bugs.ruby-lang.org/issues/21344#change-113289 * Author: tianstcht (Haotian Cheng) * Status: Closed * ruby -v: 3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu] * Backport: 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONTNEED ---------------------------------------- In my local machine(3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu]), which is the default version in ubuntu2404, a segmentation fault can be stably triggered by the poc including malicious xml data. The poc here: ```ruby require "rexml/document" puts REXML::VERSION def poc1(size) input = <<EOF <mydoc> <tt>#{'&' + '1'*size + '#x2F3F' + ' '}</tt> </mydoc> EOF parser = REXML::Document.new input end poc1(8_999_999) ``` The issue has been fixed in this commit: https://github.com/ruby/ruby/commit/b959263b58e26ef630c085f9f7ddc04373a998c7 But the fix haven't been backported to Ruby 3.2 and 3.3. Based on the developer's response, I think the backporting may be needed so the issue built. -- https://bugs.ruby-lang.org/

Issue #21344 has been updated by nagachika (Tomoyuki Chikanaga). rexml is already bundled gems in ruby 3.2/3.3. The users can use any versions of rexml specified with lock file. ---------------------------------------- Bug #21344: Segment Fault Caused by no Backported Patches https://bugs.ruby-lang.org/issues/21344#change-113291 * Author: tianstcht (Haotian Cheng) * Status: Closed * ruby -v: 3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu] * Backport: 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONTNEED ---------------------------------------- In my local machine(3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu]), which is the default version in ubuntu2404, a segmentation fault can be stably triggered by the poc including malicious xml data. The poc here: ```ruby require "rexml/document" puts REXML::VERSION def poc1(size) input = <<EOF <mydoc> <tt>#{'&' + '1'*size + '#x2F3F' + ' '}</tt> </mydoc> EOF parser = REXML::Document.new input end poc1(8_999_999) ``` The issue has been fixed in this commit: https://github.com/ruby/ruby/commit/b959263b58e26ef630c085f9f7ddc04373a998c7 But the fix haven't been backported to Ruby 3.2 and 3.3. Based on the developer's response, I think the backporting may be needed so the issue built. -- https://bugs.ruby-lang.org/

Issue #21344 has been updated by nagachika (Tomoyuki Chikanaga). Ah, I have misunderstood that the fix was on rexml.gem. ---------------------------------------- Bug #21344: Segment Fault Caused by no Backported Patches https://bugs.ruby-lang.org/issues/21344#change-113292 * Author: tianstcht (Haotian Cheng) * Status: Closed * ruby -v: 3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu] * Backport: 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONTNEED ---------------------------------------- In my local machine(3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu]), which is the default version in ubuntu2404, a segmentation fault can be stably triggered by the poc including malicious xml data. The poc here: ```ruby require "rexml/document" puts REXML::VERSION def poc1(size) input = <<EOF <mydoc> <tt>#{'&' + '1'*size + '#x2F3F' + ' '}</tt> </mydoc> EOF parser = REXML::Document.new input end poc1(8_999_999) ``` The issue has been fixed in this commit: https://github.com/ruby/ruby/commit/b959263b58e26ef630c085f9f7ddc04373a998c7 But the fix haven't been backported to Ruby 3.2 and 3.3. Based on the developer's response, I think the backporting may be needed so the issue built. -- https://bugs.ruby-lang.org/

Issue #21344 has been updated by nagachika (Tomoyuki Chikanaga). Backport changed from 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONTNEED to 3.2: REQUIRED, 3.3: DONE, 3.4: DONTNEED ruby_3_3 commit:1f226f1efeeae3a5091c60e2f51e027d0598f394 merged revision(s) commit:b959263b58e26ef630c085f9f7ddc04373a998c7. ---------------------------------------- Bug #21344: Segment Fault Caused by no Backported Patches https://bugs.ruby-lang.org/issues/21344#change-113329 * Author: tianstcht (Haotian Cheng) * Status: Closed * ruby -v: 3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu] * Backport: 3.2: REQUIRED, 3.3: DONE, 3.4: DONTNEED ---------------------------------------- In my local machine(3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux-gnu]), which is the default version in ubuntu2404, a segmentation fault can be stably triggered by the poc including malicious xml data. The poc here: ```ruby require "rexml/document" puts REXML::VERSION def poc1(size) input = <<EOF <mydoc> <tt>#{'&' + '1'*size + '#x2F3F' + ' '}</tt> </mydoc> EOF parser = REXML::Document.new input end poc1(8_999_999) ``` The issue has been fixed in this commit: https://github.com/ruby/ruby/commit/b959263b58e26ef630c085f9f7ddc04373a998c7 But the fix haven't been backported to Ruby 3.2 and 3.3. Based on the developer's response, I think the backporting may be needed so the issue built. -- https://bugs.ruby-lang.org/
participants (3)
-
nagachika (Tomoyuki Chikanaga)
-
nobu (Nobuyoshi Nakada)
-
tianstcht (Haotian Cheng)