From 2ccd553898339155e7910cf1298f339101396f9b Mon Sep 17 00:00:00 2001 From: Jarek Prokop Date: Mon, 25 Nov 2024 16:46:54 +0100 Subject: [PATCH] Fix REXML ReDoS vulnerability. (CVE-2024-49761) Tests not included in the patch, this Ruby version does not include the specific rexml unit test file in the released tarball. As opposed to branches for Ruby 3.1 and 3.0, this Ruby version does not need to enter the directory prior to patch application, as the directory for patch application required is in the correct place. Resolves: RHEL-68515 --- ruby.spec | 11 ++++++- ...rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch | 31 +++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch diff --git a/ruby.spec b/ruby.spec index c00635e..9829c4e 100644 --- a/ruby.spec +++ b/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 112 +%global release 113 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} @@ -266,6 +266,10 @@ Patch48: rubygem-strscan-1.0.2-Accept-String-as-a-pattern.patch # https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb # https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420 Patch49: rubygem-rexml-3.2.9-Fix-CVE-2024-35176-DoS-in-REXML.patch +# Tests not included, this Ruby release does not include the specific +# test file to patch. +# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f +Patch50: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -686,6 +690,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \ %patch47 -p1 %patch48 -p1 %patch49 -p1 +%patch50 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1250,6 +1255,10 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \ %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec %changelog +* Tue Nov 26 2024 Jarek Prokop - 2.5.9-113 +- Fix REXML ReDoS vulnerability. (CVE-2024-49761) + Resolves: RHEL-68515 + * Tue May 21 2024 Jarek Prokop - 2.5.9-112 - Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755. (CVE-2023-36617) diff --git a/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch b/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch new file mode 100644 index 0000000..d87b68a --- /dev/null +++ b/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch @@ -0,0 +1,31 @@ +From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001 +From: Sutou Kouhei +Date: Thu, 24 Oct 2024 14:45:31 +0900 +Subject: [PATCH] parser: fix a bug that �x...; is accepted as a character + reference + +--- + lib/rexml/parsers/baseparser.rb | 10 +++++++--- + test/parse/test_character_reference.rb | 6 ++++++ + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb +index 7bd8adf..b4547ba 100644 +--- a/lib/rexml/parsers/baseparser.rb ++++ b/lib/rexml/parsers/baseparser.rb +@@ -492,8 +492,12 @@ def unnormalize( string, entities=nil, filter=nil ) + return rv if matches.size == 0 +- rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { ++ rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { + m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ if m.start_with?("x") ++ code_point = Integer(m[1..-1], 16) ++ else ++ code_point = Integer(m, 10) ++ end ++ [code_point].pack('U*') + } + matches.collect!{|x|x[0]}.compact! + if matches.size > 0