From 7bd72820325b846a9dd62e2bbfe885d6253a8de3 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 26 Dec 2024 03:21:35 +0300 Subject: [PATCH] import ruby-3.1.5-145.module+el9.5.0+22579+d0aa0a16 --- ...rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch | 31 ++++++++++++++++ SPECS/ruby.spec | 36 +++++++++++++------ 2 files changed, 56 insertions(+), 11 deletions(-) create mode 100644 SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch diff --git a/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch b/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch new file mode 100644 index 0000000..8222691 --- /dev/null +++ b/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch @@ -0,0 +1,31 @@ +From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001 +From: Sutou Kouhei +Date: Thu, 24 Oct 2024 14:45:31 +0900 +Subject: [PATCH] parser: fix a bug that �x...; is accepted as a character + reference + +--- + lib/rexml/parsers/baseparser.rb | 10 +++++++--- + test/parse/test_character_reference.rb | 6 ++++++ + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb +index 7bd8adf..b4547ba 100644 +--- a/lib/rexml/parsers/baseparser.rb ++++ b/lib/rexml/parsers/baseparser.rb +@@ -469,8 +469,12 @@ def unnormalize( string, entities=nil, filter=nil ) + return rv if matches.size == 0 +- rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { ++ rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { + m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ if m.start_with?("x") ++ code_point = Integer(m[1..-1], 16) ++ else ++ code_point = Integer(m, 10) ++ end ++ [code_point].pack('U*') + } + matches.collect!{|x|x[0]}.compact! + if matches.size > 0 diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index e4a918c..38b193b 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -22,7 +22,7 @@ %endif -%global release 144 +%global release 145 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory tree, since the @@ -220,6 +220,9 @@ Patch35: ruby-irb-1.4.1-set-rdoc-soft-dep.patch # https://github.com/ruby/ruby/commit/bffadcd6d46ccfccade79ce0efb60ced8eac4483 # https://bugs.ruby-lang.org/issues/19529#note-7 Patch36: ruby-3.1.4-Skip-test_compaction_bug_19529-if-compaction-unsupported.patch +# Tests not included, this Ruby release does not include REXML tests. +# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f +Patch37: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -689,6 +692,13 @@ rm -rf ext/fiddle/libffi* %patch35 -p1 %patch36 -p1 +# Instead of adjusting patch's directory, use the following form where +# we first enter the correct directory, this allows more general application +# accross ruby versions, since we can make use of the %rexml_version macro. +pushd ".bundle/gems/rexml-%{rexml_version}/" +%patch37 -p1 +popd + # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1559,28 +1569,32 @@ make runruby TESTRUN_SCRIPT=" \ %changelog +* Tue Nov 26 2024 Jarek Prokop - 3.1.5-145 +- Fix REXML ReDoS vulnerability. (CVE-2024-49761) + Resolves: RHEL-68526 + * Tue Apr 30 2024 Jun Aruga - 3.1.5-144 - Upgrade to Ruby 3.1.5. - Resolves: RHEL-35449 + Resolves: RHEL-33978 - Fix buffer overread vulnerability in StringIO. - Resolves: RHEL-34793 + Resolves: RHEL-34129 - Fix RCE vulnerability with .rdoc_options in RDoc. - Resolves: RHEL-34794 + Resolves: RHEL-34121 - Fix arbitrary memory address read vulnerability with Regex search. - Resolves: RHEL-34795 + Resolves: RHEL-33871 * Thu Mar 14 2024 Jarek Prokop - 3.1.4-143 - Upgrade to Ruby 3.1.4. - Resolves: RHEL-29749 + Resolves: RHEL-5586 - Fix HTTP response splitting in CGI. - Resolves: RHEL-29752 + Resolves: RHEL-5591 - Fix ReDos vulnerability in URI. - Resolves: RHEL-29747 - Resolves: RHEL-29746 + Resolves: RHEL-28919 + Resolves: RHEL-5612 - Fix ReDos vulnerability in Time. - Resolves: RHEL-29751 + Resolves: RHEL-28920 - Make RDoc soft dependency in IRB. - Resolves: RHEL-29750 + Resolves: RHEL-5613 * Sun Dec 03 2023 Jun Aruga - 3.1.2-142 - Bypass git submodule test failure on Git >= 2.38.1.