'Re: [oss-security] CVE Request: rubygem-nokogiri Multiple DoS vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: rubygem-nokogiri Multiple DoS vulnerabilities
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-12-27 4:30:38
Message-ID: 52BD026E.7040901 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/26/2013 12:47 PM, Ratul Gupta wrote:

I double checked these issues, they are subtly different, one is
infinite loop from error parsing and the other fails to apply limits.

> Hello,
> 
> 1) https://bugzilla.redhat.com/show_bug.cgi?id=1046663
> 
> Nokogiri gem for Ruby was found to be affected by a DoS
> vulnerability, where an error when parsing XML documents can be
> exploited by an attacker to cause an infinite loop and subsequently
> exhaust memory and cause a crash via a specially crafted XML
> document.

Please use CVE-2013-6460 for this issue.

> 2) https://bugzilla.redhat.com/show_bug.cgi?id=1046664
> 
> Nokogiri gem for Ruby was found to be affected by a DoS
> vulnerability, where an error when parsing XML entities and can be
> exploited to exhaust memory and cause a crash via a specially
> crafted XML document including external entity references.

Please use CVE-2013-6461 for this issue.

> Can CVE's please be assigned to these issues?

Please note original references:

References:
https://bugs.gentoo.org/show_bug.cgi?id=495218

Original Advisory:
https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA




- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSvQJuAAoJEBYNRVNeJnmT+QoP/1c2L1HrrqrCWwk+sM60P1WB
iqVF+N643XkNsNgFbK/3eAa2T1Bsj3uOKqxyEGLePPGblqH3+kPzqlT+IPCPy/0H
UiiPSjO43WFv8kmSHo6hzIzn7us7oww8DNK4xBWItLYMfP/5SK/ANv5viFJBTCTu
K5nrbUvTOIwWueAUMY/DgXLpfcssdITp7VH70uFrSgF+LzDtXGeOdscIMpu85FVU
5+sqJQy2yE939Q3XlEZzN1IeTwLghZkVb2WX5HLUBGEVBkFRvB8bY+nl4OtERSS1
R+ya6X4h9XAVyKXE3lgvHI1MFA3D8gotJqK8xPFjnuLBvcR0Scx63DfSf2hatcqI
dbyQ8xR/qVYJGcOXpAENAPjrfyBCnd1GiozjECgZfB2A1T8+ahK4LWawd037lWbx
+izFHURKFThLpdikdiwZ3hAZVjQpR3oHlxbEW83QlZPu2xCGDn66GtfFDtjHm8DA
xxrgkMEkBlvRRCstVJsU7op5TBoCBofi8rXzpdWd/vtwuTg/PHV6fVb63PEPFkVd
aBsL9oxFPW1WjJwU0JRYfSo2EeBg1laGWIbfy29xVX3deVOdMTWb2h3v9xAMhkEs
qtTO8bLgB6Dym5wkugaj05PniZEGUoBHPOcli0ApjEFys4tLkctP1tBcwD39sPfc
Xea35dJTkozZtlrQMBAU
=Wrs6
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic