Regression: REXML DoS fix causes error when parsing XML

Bug #291893 reported by Makoto Kato on 2008-11-01
Affects Status Importance Assigned to Milestone
ruby1.8 (Debian)
Fix Released
ruby1.8 (Ubuntu)

Bug Description

Binary package hint: ruby1.8

REXML in Ubuntu 8.10 causes unexpected error. When I use REXML in 8.04 original, this doesn't occurs.

This is reported Debian BTS ( Fix patch is attached in that BTS bugs.

- Env.
Package: libruby1.8
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 6136
Maintainer: Ubuntu Core Developers <email address hidden>
Architecture: amd64
Source: ruby1.8

- Step
$ ruby -r rexml/document -r open-uri -e '"").read).root.each_element_with_text { |e| p }'

/usr/lib/ruby/1.8/rexml/entity.rb:76:in `unnormalized': undefined method `record_entity_expansion' for nil:NilClass (NoMethodError)
 from /usr/lib/ruby/1.8/rexml/doctype.rb:135:in `entity'
 from /usr/lib/ruby/1.8/rexml/text.rb:325:in `unnormalize'
 from /usr/lib/ruby/1.8/rexml/text.rb:323:in `each'
 from /usr/lib/ruby/1.8/rexml/text.rb:323:in `unnormalize'
 from /usr/lib/ruby/1.8/rexml/text.rb:174:in `value'
 from /usr/lib/ruby/1.8/rexml/element.rb:452:in `text'
 from /usr/lib/ruby/1.8/rexml/element.rb:433:in `has_text?'
 from /usr/lib/ruby/1.8/rexml/element.rb:384:in `each_element_with_text'
 from /usr/lib/ruby/1.8/rexml/element.rb:710:in `call'
 from /usr/lib/ruby/1.8/rexml/element.rb:710:in `each_with_something'
 from /usr/lib/ruby/1.8/rexml/element.rb:892:in `each'
 from /usr/lib/ruby/1.8/rexml/xpath.rb:53:in `each'
 from /usr/lib/ruby/1.8/rexml/element.rb:892:in `each'
 from /usr/lib/ruby/1.8/rexml/element.rb:709:in `each_with_something'
 from /usr/lib/ruby/1.8/rexml/element.rb:388:in `each_element_with_text'
 from -e:1

Ben J Woodcroft (donttrustben) wrote :

I can confirm this as well.

Alex Tomlins (alex-tomlins) wrote :

I can confirm that this is also happening in 8.04 now.

libruby1.8 version

Applying the patch mentioned in the Debian bug report to /usr/lib/ruby/1.8/rexml/entity.rb fixes the problem.


Changed in ruby1.8:
status: Unknown → New
Changed in ruby1.8 (Debian):
status: New → Fix Released
Changed in ruby1.8 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.