import UBI ruby-3.0.7-163.el9_5

2024-12-05 20:28:52 +00:00 · 2024-12-05 20:28:52 +00:00 · b905eb2d00
commit b905eb2d00
parent f1b0309dcf
2 changed files with 46 additions and 1 deletions
--- a/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
+++ b/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
@ -0,0 +1,31 @@
+From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Thu, 24 Oct 2024 14:45:31 +0900
+Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character
+ reference
+
+---
+ lib/rexml/parsers/baseparser.rb        | 10 +++++++---
+ test/parse/test_character_reference.rb |  6 ++++++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
+index 7bd8adf..b4547ba 100644
+--- a/lib/rexml/parsers/baseparser.rb
+++ b/lib/rexml/parsers/baseparser.rb
+@@ -469,8 +469,12 @@ def unnormalize( string, entities=nil, filter=nil )
+         return rv if matches.size == 0
+-        rv.gsub!( /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+        rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
+          if m.start_with?("x")
+            code_point = Integer(m[1..-1], 16)
+          else
+            code_point = Integer(m, 10)
+          end
+          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0
--- a/SPECS/ruby.spec
+++ b/SPECS/ruby.spec
@ -22,7 +22,7 @@
 %endif


-%global release 162
+%global release 163
 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}

 # The RubyGems library has to stay out of Ruby directory tree, since the
@ -297,6 +297,9 @@ Patch69: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch
 # to OpenSSL 3.2
 # https://github.com/ruby/ruby/commit/64b6a018a38f200c957fdbbe7d0cbe0e64781c9f
 Patch70: ruby-3.3.1-Fix-test-session-reuse-but-expire.patch
+# Tests not included, this Ruby release does not include REXML tests.
+# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
+Patch71: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch

 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Suggests: rubypick
@ -771,6 +774,13 @@ rm -rf ext/fiddle/libffi*
 %patch69 -p1
 %patch70 -p1

+# Instead of adjusting patch's directory, use the following form where
+# we first enter the correct directory, this allows more general application
+# accross ruby versions, since we can make use of the %rexml_version macro.
+pushd ".bundle/gems/rexml-%{rexml_version}/"
+%patch71 -p1
+popd
+
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .

@ -1545,6 +1555,10 @@ make runruby TESTRUN_SCRIPT=" \


 %changelog
+* Tue Nov 26 2024 Jarek Prokop <jprokop@redhat.com> - 3.0.7-163
+- Fix REXML ReDoS vulnerability. (CVE-2024-49761)
+  Resolves: RHEL-68521
+
 * Tue Apr 30 2024 Jun Aruga <jaruga@redhat.com> - 3.0.7-162
 - Upgrade to Ruby 3.0.7.
  Resolves: RHEL-35740