From 6767a4e7919386d3c1f161c54bb8bc2779243cca Mon Sep 17 00:00:00 2001 From: Jarek Prokop Date: Mon, 25 Nov 2024 16:46:54 +0100 Subject: [PATCH] Fix REXML ReDoS vulnerability. (CVE-2024-49761) Tests not included in the patch, this Ruby version does not include rexml unit tests in the released tarball. Before patch application, enter the correct directory in the specfile. Instead of adjusting the path in the patch for each ruby version we can enter the correct directory first in the specfile and make use of %rexml_version macro which further helps in making minimal changes for different ruby versions. Resolves: RHEL-68525 --- ruby.spec | 16 +++++++++- ...rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch | 31 +++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch diff --git a/ruby.spec b/ruby.spec index 034b7b5..0b4c863 100644 --- a/ruby.spec +++ b/ruby.spec @@ -22,7 +22,7 @@ %endif -%global release 162 +%global release 163 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory tree, since the @@ -297,6 +297,9 @@ Patch69: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch # to OpenSSL 3.2 # https://github.com/ruby/ruby/commit/64b6a018a38f200c957fdbbe7d0cbe0e64781c9f Patch70: ruby-3.3.1-Fix-test-session-reuse-but-expire.patch +# Tests not included, this Ruby release does not include REXML tests. +# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f +Patch71: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -771,6 +774,13 @@ rm -rf ext/fiddle/libffi* %patch69 -p1 %patch70 -p1 +# Instead of adjusting patch's directory, use the following form where +# we first enter the correct directory, this allows more general application +# accross ruby versions, since we can make use of the %rexml_version macro. +pushd ".bundle/gems/rexml-%{rexml_version}/" +%patch71 -p1 +popd + # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1545,6 +1555,10 @@ make runruby TESTRUN_SCRIPT=" \ %changelog +* Tue Nov 26 2024 Jarek Prokop - 3.0.7-163 +- Fix REXML ReDoS vulnerability. (CVE-2024-49761) + Resolves: RHEL-68525 + * Tue Apr 30 2024 Jun Aruga - 3.0.7-162 - Upgrade to Ruby 3.0.7. Resolves: RHEL-35740 diff --git a/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch b/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch new file mode 100644 index 0000000..8222691 --- /dev/null +++ b/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch @@ -0,0 +1,31 @@ +From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001 +From: Sutou Kouhei +Date: Thu, 24 Oct 2024 14:45:31 +0900 +Subject: [PATCH] parser: fix a bug that �x...; is accepted as a character + reference + +--- + lib/rexml/parsers/baseparser.rb | 10 +++++++--- + test/parse/test_character_reference.rb | 6 ++++++ + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb +index 7bd8adf..b4547ba 100644 +--- a/lib/rexml/parsers/baseparser.rb ++++ b/lib/rexml/parsers/baseparser.rb +@@ -469,8 +469,12 @@ def unnormalize( string, entities=nil, filter=nil ) + return rv if matches.size == 0 +- rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { ++ rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { + m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ if m.start_with?("x") ++ code_point = Integer(m[1..-1], 16) ++ else ++ code_point = Integer(m, 10) ++ end ++ [code_point].pack('U*') + } + matches.collect!{|x|x[0]}.compact! + if matches.size > 0