From bda8cf3c733a4e26224ee63ce2aa53cc4bb08879 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 26 Dec 2024 03:05:20 +0300 Subject: [PATCH] import ruby-3.1.5-144.module+el8.10.0+22580+b97d9670 --- ...rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch | 31 +++++++++++++++++++ SPECS/ruby.spec | 16 +++++++++- 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch diff --git a/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch b/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch new file mode 100644 index 0000000..8222691 --- /dev/null +++ b/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch @@ -0,0 +1,31 @@ +From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001 +From: Sutou Kouhei +Date: Thu, 24 Oct 2024 14:45:31 +0900 +Subject: [PATCH] parser: fix a bug that �x...; is accepted as a character + reference + +--- + lib/rexml/parsers/baseparser.rb | 10 +++++++--- + test/parse/test_character_reference.rb | 6 ++++++ + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb +index 7bd8adf..b4547ba 100644 +--- a/lib/rexml/parsers/baseparser.rb ++++ b/lib/rexml/parsers/baseparser.rb +@@ -469,8 +469,12 @@ def unnormalize( string, entities=nil, filter=nil ) + return rv if matches.size == 0 +- rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { ++ rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { + m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ if m.start_with?("x") ++ code_point = Integer(m[1..-1], 16) ++ else ++ code_point = Integer(m, 10) ++ end ++ [code_point].pack('U*') + } + matches.collect!{|x|x[0]}.compact! + if matches.size > 0 diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index b6d2c2c..05ed5a7 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -22,7 +22,7 @@ %endif -%global release 143 +%global release 144 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory tree, since the @@ -195,6 +195,9 @@ Patch29: ruby-3.1.4-Skip-test_compaction_bug_19529-if-compaction-unsupported.pat # https://github.com/ruby/ruby/pull/10696 # https://bugs.ruby-lang.org/issues/20451 Patch30: ruby-fiddle-1.1.1-closure-free-resources.patch +# Tests not included, this Ruby release does not include REXML tests. +# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f +Patch31: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -659,6 +662,13 @@ rm -rf ext/fiddle/libffi* %patch29 -p1 %patch30 -p1 +# Instead of adjusting patch's directory, use the following form where +# we first enter the correct directory, this allows more general application +# accross ruby versions, since we can make use of the %rexml_version macro. +pushd ".bundle/gems/rexml-%{rexml_version}/" +%patch31 -p1 +popd + # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1542,6 +1552,10 @@ DISABLE_TESTS="$DISABLE_TESTS -n !/TestBundledCA/" %changelog +* Tue Nov 26 2024 Jarek Prokop - 3.1.5-144 +- Fix REXML ReDoS vulnerability. (CVE-2024-49761) + Resolves: RHEL-68520 + * Tue May 07 2024 Jun Aruga - 3.1.5-143 - Upgrade to Ruby 3.1.5. Resolves: RHEL-35748