import UBI ruby-3.1.5-145.module+el9.5.0+22579+d0aa0a16

SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch

@@ -0,0 +1,31 @@
+From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Thu, 24 Oct 2024 14:45:31 +0900
+Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character
+ reference
+
+---
+ lib/rexml/parsers/baseparser.rb        | 10 +++++++---
+ test/parse/test_character_reference.rb |  6 ++++++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
+index 7bd8adf..b4547ba 100644
+--- a/lib/rexml/parsers/baseparser.rb
++++ b/lib/rexml/parsers/baseparser.rb
+@@ -469,8 +469,12 @@ def unnormalize( string, entities=nil, filter=nil )
+         return rv if matches.size == 0
+-        rv.gsub!( /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
++        rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
++          if m.start_with?("x")
++            code_point = Integer(m[1..-1], 16)
++          else
++            code_point = Integer(m, 10)
++          end
++          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0

SPECS/ruby.spec

@@ -22,7 +22,7 @@
 %endif
 
 
-%global release 144
+%global release 145
 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
 
 # The RubyGems library has to stay out of Ruby directory tree, since the
@@ -220,6 +220,9 @@ Patch35: ruby-irb-1.4.1-set-rdoc-soft-dep.patch
 # https://github.com/ruby/ruby/commit/bffadcd6d46ccfccade79ce0efb60ced8eac4483
 # https://bugs.ruby-lang.org/issues/19529#note-7
 Patch36: ruby-3.1.4-Skip-test_compaction_bug_19529-if-compaction-unsupported.patch
+# Tests not included, this Ruby release does not include REXML tests.
+# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
+Patch37: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Suggests: rubypick
@@ -689,6 +692,13 @@ rm -rf ext/fiddle/libffi*
 %patch35 -p1
 %patch36 -p1
 
+# Instead of adjusting patch's directory, use the following form where
+# we first enter the correct directory, this allows more general application
+# accross ruby versions, since we can make use of the %rexml_version macro.
+pushd ".bundle/gems/rexml-%{rexml_version}/"
+%patch37 -p1
+popd
+
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
 
@@ -1559,28 +1569,32 @@ make runruby TESTRUN_SCRIPT=" \
 
 
 %changelog
+* Tue Nov 26 2024 Jarek Prokop <jprokop@redhat.com> - 3.1.5-145
+- Fix REXML ReDoS vulnerability. (CVE-2024-49761)
+  Resolves: RHEL-68526
+
 * Tue Apr 30 2024 Jun Aruga <jaruga@redhat.com> - 3.1.5-144
 - Upgrade to Ruby 3.1.5.
-  Resolves: RHEL-35449
+  Resolves: RHEL-33978
 - Fix buffer overread vulnerability in StringIO.
-  Resolves: RHEL-34793
+  Resolves: RHEL-34129
 - Fix RCE vulnerability with .rdoc_options in RDoc.
-  Resolves: RHEL-34794
+  Resolves: RHEL-34121
 - Fix arbitrary memory address read vulnerability with Regex search.
-  Resolves: RHEL-34795
+  Resolves: RHEL-33871
 
 * Thu Mar 14 2024 Jarek Prokop <jprokop@redhat.com> - 3.1.4-143
 - Upgrade to Ruby 3.1.4.
-  Resolves: RHEL-29749
+  Resolves: RHEL-5586
 - Fix HTTP response splitting in CGI.
-  Resolves: RHEL-29752
+  Resolves: RHEL-5591
 - Fix ReDos vulnerability in URI.
-  Resolves: RHEL-29747
-  Resolves: RHEL-29746
+  Resolves: RHEL-28919
+  Resolves: RHEL-5612
 - Fix ReDos vulnerability in Time.
-  Resolves: RHEL-29751
+  Resolves: RHEL-28920
 - Make RDoc soft dependency in IRB.
-  Resolves: RHEL-29750
+  Resolves: RHEL-5613
 
 * Sun Dec 03 2023 Jun Aruga <jaruga@redhat.com> - 3.1.2-142
 - Bypass git submodule test failure on Git >= 2.38.1.