Fix REXML ReDoS vulnerability. (CVE-2024-49761)

Tests not included in the patch, this Ruby version does not include the specific rexml unit test file in the released tarball. As opposed to branches for Ruby 3.1 and 3.0, this Ruby version does not need to enter the directory prior to patch application, as the directory for patch application required is in the correct place. Resolves: RHEL-68515
2024-11-25 16:46:54 +01:00 · 2024-11-25 16:46:54 +01:00 · 2ccd553898
commit 2ccd553898
parent fd513df176
2 changed files with 41 additions and 1 deletions
--- a/ruby.spec
+++ b/ruby.spec
@ -21,7 +21,7 @@
 %endif


-%global release 112
+%global release 113

 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}

@ -266,6 +266,10 @@ Patch48: rubygem-strscan-1.0.2-Accept-String-as-a-pattern.patch
 # https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
 # https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420
 Patch49: rubygem-rexml-3.2.9-Fix-CVE-2024-35176-DoS-in-REXML.patch
+# Tests not included, this Ruby release does not include the specific
+# test file to patch.
+# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
+Patch50: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch


 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -686,6 +690,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
 %patch47 -p1
 %patch48 -p1
 %patch49 -p1
+%patch50 -p1

 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@ -1250,6 +1255,10 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
 %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec

 %changelog
+* Tue Nov 26 2024 Jarek Prokop <jprokop@redhat.com> - 2.5.9-113
+- Fix REXML ReDoS vulnerability. (CVE-2024-49761)
+  Resolves: RHEL-68515
+
 * Tue May 21 2024 Jarek Prokop <jprokop@redhat.com> - 2.5.9-112
 - Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755.
  (CVE-2023-36617)
--- a/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
+++ b/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
@ -0,0 +1,31 @@
+From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Thu, 24 Oct 2024 14:45:31 +0900
+Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character
+ reference
+
+---
+ lib/rexml/parsers/baseparser.rb        | 10 +++++++---
+ test/parse/test_character_reference.rb |  6 ++++++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
+index 7bd8adf..b4547ba 100644
+--- a/lib/rexml/parsers/baseparser.rb
+++ b/lib/rexml/parsers/baseparser.rb
+@@ -492,8 +492,12 @@ def unnormalize( string, entities=nil, filter=nil )
+         return rv if matches.size == 0
+-        rv.gsub!( /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+        rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
+          if m.start_with?("x")
+            code_point = Integer(m[1..-1], 16)
+          else
+            code_point = Integer(m, 10)
+          end
+          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0