Fix REXML ReDoS vulnerability. (CVE-2024-49761)

Tests not included in the patch, this Ruby version does not include rexml unit tests in the released tarball. Before patch application, enter the correct directory in the specfile. Instead of adjusting the path in the patch for each ruby version we can enter the correct directory first in the specfile and make use of %rexml_version macro which further helps in making minimal changes for different ruby versions. Resolves: RHEL-68530
2024-11-25 16:46:54 +01:00 · 2024-11-25 16:46:54 +01:00 · 32f8b8fa7b
commit 32f8b8fa7b
parent ae8660b889
2 changed files with 46 additions and 1 deletions
--- a/ruby.spec
+++ b/ruby.spec
@ -22,7 +22,7 @@
 %endif


-%global release 144
+%global release 145
 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}

 # The RubyGems library has to stay out of Ruby directory tree, since the
@ -220,6 +220,9 @@ Patch35: ruby-irb-1.4.1-set-rdoc-soft-dep.patch
 # https://github.com/ruby/ruby/commit/bffadcd6d46ccfccade79ce0efb60ced8eac4483
 # https://bugs.ruby-lang.org/issues/19529#note-7
 Patch36: ruby-3.1.4-Skip-test_compaction_bug_19529-if-compaction-unsupported.patch
+# Tests not included, this Ruby release does not include REXML tests.
+# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
+Patch37: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch

 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Suggests: rubypick
@ -689,6 +692,13 @@ rm -rf ext/fiddle/libffi*
 %patch35 -p1
 %patch36 -p1

+# Instead of adjusting patch's directory, use the following form where
+# we first enter the correct directory, this allows more general application
+# accross ruby versions, since we can make use of the %rexml_version macro.
+pushd ".bundle/gems/rexml-%{rexml_version}/"
+%patch37 -p1
+popd
+
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .

@ -1559,6 +1569,10 @@ make runruby TESTRUN_SCRIPT=" \


 %changelog
+* Tue Nov 26 2024 Jarek Prokop <jprokop@redhat.com> - 3.1.5-145
+- Fix REXML ReDoS vulnerability. (CVE-2024-49761)
+  Resolves: RHEL-68530
+
 * Tue Apr 30 2024 Jun Aruga <jaruga@redhat.com> - 3.1.5-144
 - Upgrade to Ruby 3.1.5.
  Resolves: RHEL-33978
--- a/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
+++ b/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
@ -0,0 +1,31 @@
+From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Thu, 24 Oct 2024 14:45:31 +0900
+Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character
+ reference
+
+---
+ lib/rexml/parsers/baseparser.rb        | 10 +++++++---
+ test/parse/test_character_reference.rb |  6 ++++++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
+index 7bd8adf..b4547ba 100644
+--- a/lib/rexml/parsers/baseparser.rb
+++ b/lib/rexml/parsers/baseparser.rb
+@@ -469,8 +469,12 @@ def unnormalize( string, entities=nil, filter=nil )
+         return rv if matches.size == 0
+-        rv.gsub!( /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+        rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
+          if m.start_with?("x")
+            code_point = Integer(m[1..-1], 16)
+          else
+            code_point = Integer(m, 10)
+          end
+          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0