import UBI ruby-3.0.7-163.el9_5
This commit is contained in:
		
							parent
							
								
									f1b0309dcf
								
							
						
					
					
						commit
						b905eb2d00
					
				
							
								
								
									
										31
									
								
								SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,31 @@ | ||||
| From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001 | ||||
| From: Sutou Kouhei <kou@clear-code.com> | ||||
| Date: Thu, 24 Oct 2024 14:45:31 +0900 | ||||
| Subject: [PATCH] parser: fix a bug that �x...; is accepted as a character | ||||
|  reference | ||||
| 
 | ||||
| ---
 | ||||
|  lib/rexml/parsers/baseparser.rb        | 10 +++++++--- | ||||
|  test/parse/test_character_reference.rb |  6 ++++++ | ||||
|  2 files changed, 13 insertions(+), 3 deletions(-) | ||||
| 
 | ||||
| diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
 | ||||
| index 7bd8adf..b4547ba 100644
 | ||||
| --- a/lib/rexml/parsers/baseparser.rb
 | ||||
| +++ b/lib/rexml/parsers/baseparser.rb
 | ||||
| @@ -469,8 +469,12 @@ def unnormalize( string, entities=nil, filter=nil )
 | ||||
|          return rv if matches.size == 0 | ||||
| -        rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
 | ||||
| +        rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
 | ||||
|            m=$1 | ||||
| -          m = "0#{m}" if m[0] == ?x
 | ||||
| -          [Integer(m)].pack('U*')
 | ||||
| +          if m.start_with?("x")
 | ||||
| +            code_point = Integer(m[1..-1], 16)
 | ||||
| +          else
 | ||||
| +            code_point = Integer(m, 10)
 | ||||
| +          end
 | ||||
| +          [code_point].pack('U*')
 | ||||
|          } | ||||
|          matches.collect!{|x|x[0]}.compact! | ||||
|          if matches.size > 0 | ||||
| @ -22,7 +22,7 @@ | ||||
| %endif | ||||
| 
 | ||||
| 
 | ||||
| %global release 162 | ||||
| %global release 163 | ||||
| %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} | ||||
| 
 | ||||
| # The RubyGems library has to stay out of Ruby directory tree, since the | ||||
| @ -297,6 +297,9 @@ Patch69: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch | ||||
| # to OpenSSL 3.2 | ||||
| # https://github.com/ruby/ruby/commit/64b6a018a38f200c957fdbbe7d0cbe0e64781c9f | ||||
| Patch70: ruby-3.3.1-Fix-test-session-reuse-but-expire.patch | ||||
| # Tests not included, this Ruby release does not include REXML tests. | ||||
| # https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f | ||||
| Patch71: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch | ||||
| 
 | ||||
| Requires: %{name}-libs%{?_isa} = %{version}-%{release} | ||||
| Suggests: rubypick | ||||
| @ -771,6 +774,13 @@ rm -rf ext/fiddle/libffi* | ||||
| %patch69 -p1 | ||||
| %patch70 -p1 | ||||
| 
 | ||||
| # Instead of adjusting patch's directory, use the following form where | ||||
| # we first enter the correct directory, this allows more general application | ||||
| # accross ruby versions, since we can make use of the %rexml_version macro. | ||||
| pushd ".bundle/gems/rexml-%{rexml_version}/" | ||||
| %patch71 -p1 | ||||
| popd | ||||
| 
 | ||||
| # Provide an example of usage of the tapset: | ||||
| cp -a %{SOURCE3} . | ||||
| 
 | ||||
| @ -1545,6 +1555,10 @@ make runruby TESTRUN_SCRIPT=" \ | ||||
| 
 | ||||
| 
 | ||||
| %changelog | ||||
| * Tue Nov 26 2024 Jarek Prokop <jprokop@redhat.com> - 3.0.7-163 | ||||
| - Fix REXML ReDoS vulnerability. (CVE-2024-49761) | ||||
|   Resolves: RHEL-68521 | ||||
| 
 | ||||
| * Tue Apr 30 2024 Jun Aruga <jaruga@redhat.com> - 3.0.7-162 | ||||
| - Upgrade to Ruby 3.0.7. | ||||
|   Resolves: RHEL-35740 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user