rpms
/
ruby
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import ruby-3.1.5-144.module+el8.10.0+22580+b97d9670

Browse Source
i8c-stream-3.1 changed/i8c-stream-3.1/ruby-3.1.5-144.module+el8.10.0+22580+b97d9670
MSVSphere Packaging Team 1 month ago
parent dedaf8696c
commit bda8cf3c73
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File

31
SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
Unescape View File

@ -0,0 +1,31 @@
From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
From: Sutou Kouhei <kou@clear-code.com>
Date: Thu, 24 Oct 2024 14:45:31 +0900
Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character
reference
---
lib/rexml/parsers/baseparser.rb | 10 +++++++---
test/parse/test_character_reference.rb | 6 ++++++
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
index 7bd8adf..b4547ba 100644
--- a/lib/rexml/parsers/baseparser.rb
+++ b/lib/rexml/parsers/baseparser.rb
@@ -469,8 +469,12 @@ def unnormalize( string, entities=nil, filter=nil )
return rv if matches.size == 0
- rv.gsub!( /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+ rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
m=$1
- m = "0#{m}" if m[0] == ?x
- [Integer(m)].pack('U*')
+ if m.start_with?("x")
+ code_point = Integer(m[1..-1], 16)
+ else
+ code_point = Integer(m, 10)
+ end
+ [code_point].pack('U*')
}
matches.collect!{|x|x[0]}.compact!
if matches.size > 0

16
SPECS/ruby.spec
Unescape View File

@ -22,7 +22,7 @@
%endif
%global release 143
%global release 144
%{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
# The RubyGems library has to stay out of Ruby directory tree, since the
@ -195,6 +195,9 @@ Patch29: ruby-3.1.4-Skip-test_compaction_bug_19529-if-compaction-unsupported.pat
# https://github.com/ruby/ruby/pull/10696
# https://bugs.ruby-lang.org/issues/20451
Patch30: ruby-fiddle-1.1.1-closure-free-resources.patch
# Tests not included, this Ruby release does not include REXML tests.
# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
Patch31: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Suggests: rubypick
@ -659,6 +662,13 @@ rm -rf ext/fiddle/libffi*
%patch29 -p1
%patch30 -p1
# Instead of adjusting patch's directory, use the following form where
# we first enter the correct directory, this allows more general application
# accross ruby versions, since we can make use of the %rexml_version macro.
pushd ".bundle/gems/rexml-%{rexml_version}/"
%patch31 -p1
popd
# Provide an example of usage of the tapset:
cp -a %{SOURCE3} .
@ -1542,6 +1552,10 @@ DISABLE_TESTS="$DISABLE_TESTS -n !/TestBundledCA/"
%changelog
* Tue Nov 26 2024 Jarek Prokop <jprokop@redhat.com> - 3.1.5-144
- Fix REXML ReDoS vulnerability. (CVE-2024-49761)
Resolves: RHEL-68520
* Tue May 07 2024 Jun Aruga <jaruga@redhat.com> - 3.1.5-143
- Upgrade to Ruby 3.1.5.
Resolves: RHEL-35748

Write Preview
Loading…
Cancel
Save