import UBI ruby-3.1.5-144.module+el8.10.0+22580+b97d9670

2024-12-05 12:26:27 +00:00 · 2024-12-05 12:26:27 +00:00 · bde346b4b8
commit bde346b4b8
parent e2fb02d4f9
2 changed files with 46 additions and 1 deletions
--- a/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
+++ b/SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
@ -0,0 +1,31 @@
+From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Thu, 24 Oct 2024 14:45:31 +0900
+Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character
+ reference
+
+---
+ lib/rexml/parsers/baseparser.rb        | 10 +++++++---
+ test/parse/test_character_reference.rb |  6 ++++++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
+index 7bd8adf..b4547ba 100644
+--- a/lib/rexml/parsers/baseparser.rb
+++ b/lib/rexml/parsers/baseparser.rb
+@@ -469,8 +469,12 @@ def unnormalize( string, entities=nil, filter=nil )
+         return rv if matches.size == 0
+-        rv.gsub!( /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+        rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
+          if m.start_with?("x")
+            code_point = Integer(m[1..-1], 16)
+          else
+            code_point = Integer(m, 10)
+          end
+          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0
--- a/SPECS/ruby.spec
+++ b/SPECS/ruby.spec
@ -22,7 +22,7 @@
 %endif


-%global release 143
+%global release 144
 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}

 # The RubyGems library has to stay out of Ruby directory tree, since the
@ -195,6 +195,9 @@ Patch29: ruby-3.1.4-Skip-test_compaction_bug_19529-if-compaction-unsupported.pat
 # https://github.com/ruby/ruby/pull/10696
 # https://bugs.ruby-lang.org/issues/20451
 Patch30: ruby-fiddle-1.1.1-closure-free-resources.patch
+# Tests not included, this Ruby release does not include REXML tests.
+# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
+Patch31: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch

 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Suggests: rubypick
@ -659,6 +662,13 @@ rm -rf ext/fiddle/libffi*
 %patch29 -p1
 %patch30 -p1

+# Instead of adjusting patch's directory, use the following form where
+# we first enter the correct directory, this allows more general application
+# accross ruby versions, since we can make use of the %rexml_version macro.
+pushd ".bundle/gems/rexml-%{rexml_version}/"
+%patch31 -p1
+popd
+
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .

@ -1542,6 +1552,10 @@ DISABLE_TESTS="$DISABLE_TESTS -n !/TestBundledCA/"


 %changelog
+* Tue Nov 26 2024 Jarek Prokop <jprokop@redhat.com> - 3.1.5-144
+- Fix REXML ReDoS vulnerability. (CVE-2024-49761)
+  Resolves: RHEL-68520
+
 * Tue May 07 2024 Jun Aruga <jaruga@redhat.com> - 3.1.5-143
 - Upgrade to Ruby 3.1.5.
  Resolves: RHEL-35748