Ubuntu vulnerability exploit CVE-2021-28965

Detailed:

 

The related update for Ubuntu 21.04 is included in this update. The REXML gem included with Ruby improperly parsed and serialized XML documents, according to Juho Nurminen. This vulnerability could be exploited by a remote attacker to launch an XML round-trip attack. A number of other topics were also discussed.

 

Exploit:


A bug that invalid notation declaration may be generated ubuntu


c = nil
      c = parent.context if parent
      if c and c[:prologue_quote] == :apostrophe
        quote = "'"
        default_quote = "'"
      else
        quote = "\""
        default_quote = "\""
      end
      notation = "<!NOTATION #{@name} #{@middle}"
      notation << " #{quote}#{@public}#{quote}" if @public
      notation << " #{quote}#{@system}#{quote}" if @system
      if @public
        if @public.include?("'")
          quote = "\""
        else
          quote = default_quote
        end
        notation << " #{quote}#{@public}#{quote}"
      end
      if @system
        if @system.include?("'")
          quote = "\""
        elsif @system.include?("\"")
          quote = "'"
        else
          quote = default_quote
        end
        notation << " #{quote}#{@system}#{quote}"
      end
      notation << ">"
      notation
    end
  99  test/test_doctype.rb 
@@ -89,11 +89,26 @@ def test_to_s
                   decl(@id, nil).to_s)
    end

    def test_to_s_pubid_literal_include_apostrophe
      assert_equal("<!NOTATION #{@name} PUBLIC \"#{@id}'\">",
                   decl("#{@id}'", nil).to_s)
    end

    def test_to_s_with_uri
      assert_equal("<!NOTATION #{@name} PUBLIC \"#{@id}\" \"#{@uri}\">",
                   decl(@id, @uri).to_s)
    end

    def test_to_s_system_literal_include_apostrophe
      assert_equal("<!NOTATION #{@name} PUBLIC \"#{@id}\" \"system'literal\">",
                   decl(@id, "system'literal").to_s)
    end

    def test_to_s_system_literal_include_double_quote
      assert_equal("<!NOTATION #{@name} PUBLIC \"#{@id}\" 'system\"literal'>",
                   decl(@id, "system\"literal").to_s)
    end

    def test_to_s_apostrophe
      document = REXML::Document.new(<<-XML)
      <!DOCTYPE root SYSTEM "urn:x-test:sysid" [
@@ -107,6 +122,49 @@ def test_to_s_apostrophe
                   notation.to_s)
    end

    def test_to_s_apostrophe_pubid_literal_include_apostrophe
      document = REXML::Document.new(<<-XML)
      <!DOCTYPE root SYSTEM "urn:x-test:sysid" [
        #{decl("#{@id}'", @uri).to_s}
      ]>
      <root/>
      XML
      # This isn't used for PubidLiteral because PubidChar includes '.
      document.context[:prologue_quote] = :apostrophe
      notation = document.doctype.notations[0]
      assert_equal("<!NOTATION #{@name} PUBLIC \"#{@id}'\" '#{@uri}'>",
                   notation.to_s)
    end

    def test_to_s_apostrophe_system_literal_include_apostrophe
      document = REXML::Document.new(<<-XML)
      <!DOCTYPE root SYSTEM "urn:x-test:sysid" [
        #{decl(@id, "system'literal").to_s}
      ]>
      <root/>
      XML
      # This isn't used for SystemLiteral because SystemLiteral includes '.
      document.context[:prologue_quote] = :apostrophe
      notation = document.doctype.notations[0]
      assert_equal("<!NOTATION #{@name} PUBLIC '#{@id}' \"system'literal\">",
                   notation.to_s)
    end

    def test_to_s_apostrophe_system_literal_include_double_quote
      document = REXML::Document.new(<<-XML)
      <!DOCTYPE root SYSTEM "urn:x-test:sysid" [
        #{decl(@id, "system\"literal").to_s}
      ]>
      <root/>
      XML
      # This isn't used for SystemLiteral because SystemLiteral includes ".
      # But quoted by ' because SystemLiteral includes ".
      document.context[:prologue_quote] = :apostrophe
      notation = document.doctype.notations[0]
      assert_equal("<!NOTATION #{@name} PUBLIC '#{@id}' 'system\"literal'>",
                   notation.to_s)
    end

    private
    def decl(id, uri)
      REXML::NotationDecl.new(@name, "PUBLIC", id, uri)
@@ -124,6 +182,16 @@ def test_to_s
                   decl(@id).to_s)
    end

    def test_to_s_include_apostrophe
      assert_equal("<!NOTATION #{@name} SYSTEM \"#{@id}'\">",
                   decl("#{@id}'").to_s)
    end

    def test_to_s_include_double_quote
      assert_equal("<!NOTATION #{@name} SYSTEM '#{@id}\"'>",
                   decl("#{@id}\"").to_s)
    end

    def test_to_s_apostrophe
      document = REXML::Document.new(<<-XML)
      <!DOCTYPE root SYSTEM "urn:x-test:sysid" [
@@ -137,9 +205,38 @@ def test_to_s_apostrophe
                   notation.to_s)
    end

    def test_to_s_apostrophe_include_apostrophe
      document = REXML::Document.new(<<-XML)
      <!DOCTYPE root SYSTEM "urn:x-test:sysid" [
        #{decl("#{@id}'").to_s}
      ]>
      <root/>
      XML
      # This isn't used for SystemLiteral because SystemLiteral includes '.
      document.context[:prologue_quote] = :apostrophe
      notation = document.doctype.notations[0]
      assert_equal("<!NOTATION #{@name} SYSTEM \"#{@id}'\">",
                   notation.to_s)
    end

    def test_to_s_apostrophe_include_double_quote
      document = REXML::Document.new(<<-XML)
      <!DOCTYPE root SYSTEM "urn:x-test:sysid" [
        #{decl("#{@id}\"").to_s}
      ]>
      <root/>
      XML
      # This isn't used for SystemLiteral because SystemLiteral includes ".
      # But quoted by ' because SystemLiteral includes ".
      document.context[:prologue_quote] = :apostrophe
      notation = document.doctype.notations[0]
      assert_equal("<!NOTATION #{@name} SYSTEM '#{@id}\"'>",
                   notation.to_s)
    end

    private
    def decl(id)
      REXML::NotationDecl.new(@name, "SYSTEM", id, nil)
      REXML::NotationDecl.new(@name, "SYSTEM", nil, id)
    end
  end
end


References:

https://github.com/cloudfoundry/cflinuxfs3/releases

https://github.com/UndercodeUtilities/accesslist/tree/main/Flaw