From 32f8b8fa7b8f909706e2e88f4e29cef0a1b44ab2 Mon Sep 17 00:00:00 2001 From: Jarek Prokop Date: Mon, 25 Nov 2024 16:46:54 +0100 Subject: [PATCH] Fix REXML ReDoS vulnerability. (CVE-2024-49761) Tests not included in the patch, this Ruby version does not include rexml unit tests in the released tarball. Before patch application, enter the correct directory in the specfile. Instead of adjusting the path in the patch for each ruby version we can enter the correct directory first in the specfile and make use of %rexml_version macro which further helps in making minimal changes for different ruby versions. Resolves: RHEL-68530 --- ruby.spec | 16 +++++++++- ...rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch | 31 +++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch diff --git a/ruby.spec b/ruby.spec index 1ed64c1..3f8669c 100644 --- a/ruby.spec +++ b/ruby.spec @@ -22,7 +22,7 @@ %endif -%global release 144 +%global release 145 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory tree, since the @@ -220,6 +220,9 @@ Patch35: ruby-irb-1.4.1-set-rdoc-soft-dep.patch # https://github.com/ruby/ruby/commit/bffadcd6d46ccfccade79ce0efb60ced8eac4483 # https://bugs.ruby-lang.org/issues/19529#note-7 Patch36: ruby-3.1.4-Skip-test_compaction_bug_19529-if-compaction-unsupported.patch +# Tests not included, this Ruby release does not include REXML tests. +# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f +Patch37: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -689,6 +692,13 @@ rm -rf ext/fiddle/libffi* %patch35 -p1 %patch36 -p1 +# Instead of adjusting patch's directory, use the following form where +# we first enter the correct directory, this allows more general application +# accross ruby versions, since we can make use of the %rexml_version macro. +pushd ".bundle/gems/rexml-%{rexml_version}/" +%patch37 -p1 +popd + # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1559,6 +1569,10 @@ make runruby TESTRUN_SCRIPT=" \ %changelog +* Tue Nov 26 2024 Jarek Prokop - 3.1.5-145 +- Fix REXML ReDoS vulnerability. (CVE-2024-49761) + Resolves: RHEL-68530 + * Tue Apr 30 2024 Jun Aruga - 3.1.5-144 - Upgrade to Ruby 3.1.5. Resolves: RHEL-33978 diff --git a/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch b/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch new file mode 100644 index 0000000..8222691 --- /dev/null +++ b/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch @@ -0,0 +1,31 @@ +From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001 +From: Sutou Kouhei +Date: Thu, 24 Oct 2024 14:45:31 +0900 +Subject: [PATCH] parser: fix a bug that �x...; is accepted as a character + reference + +--- + lib/rexml/parsers/baseparser.rb | 10 +++++++--- + test/parse/test_character_reference.rb | 6 ++++++ + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb +index 7bd8adf..b4547ba 100644 +--- a/lib/rexml/parsers/baseparser.rb ++++ b/lib/rexml/parsers/baseparser.rb +@@ -469,8 +469,12 @@ def unnormalize( string, entities=nil, filter=nil ) + return rv if matches.size == 0 +- rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { ++ rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { + m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ if m.start_with?("x") ++ code_point = Integer(m[1..-1], 16) ++ else ++ code_point = Integer(m, 10) ++ end ++ [code_point].pack('U*') + } + matches.collect!{|x|x[0]}.compact! + if matches.size > 0