From bfbeb31c75c098e03caf0e062d26c8e8291ff521 Mon Sep 17 00:00:00 2001 From: Jarek Prokop Date: Mon, 25 Nov 2024 16:46:54 +0100 Subject: [PATCH] Fix REXML ReDoS vulnerability. (CVE-2024-49761) Tests not included in the patch, this Ruby version does not include rexml unit tests in the released tarball. Before patch application, enter the correct directory in the specfile. Instead of adjusting the path in the patch for each ruby version we can enter the correct directory first in the specfile and make use of %rexml_version macro which further helps in making minimal changes for different ruby versions. Resolves: RHEL-68520 --- ruby.spec | 16 +++++++++- ...rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch | 31 +++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch diff --git a/ruby.spec b/ruby.spec index c17cffb..7c06da7 100644 --- a/ruby.spec +++ b/ruby.spec @@ -22,7 +22,7 @@ %endif -%global release 143 +%global release 144 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory tree, since the @@ -195,6 +195,9 @@ Patch29: ruby-3.1.4-Skip-test_compaction_bug_19529-if-compaction-unsupported.pat # https://github.com/ruby/ruby/pull/10696 # https://bugs.ruby-lang.org/issues/20451 Patch30: ruby-fiddle-1.1.1-closure-free-resources.patch +# Tests not included, this Ruby release does not include REXML tests. +# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f +Patch31: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -659,6 +662,13 @@ rm -rf ext/fiddle/libffi* %patch29 -p1 %patch30 -p1 +# Instead of adjusting patch's directory, use the following form where +# we first enter the correct directory, this allows more general application +# accross ruby versions, since we can make use of the %rexml_version macro. +pushd ".bundle/gems/rexml-%{rexml_version}/" +%patch31 -p1 +popd + # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1542,6 +1552,10 @@ DISABLE_TESTS="$DISABLE_TESTS -n !/TestBundledCA/" %changelog +* Tue Nov 26 2024 Jarek Prokop - 3.1.5-144 +- Fix REXML ReDoS vulnerability. (CVE-2024-49761) + Resolves: RHEL-68520 + * Tue May 07 2024 Jun Aruga - 3.1.5-143 - Upgrade to Ruby 3.1.5. Resolves: RHEL-35748 diff --git a/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch b/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch new file mode 100644 index 0000000..8222691 --- /dev/null +++ b/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch @@ -0,0 +1,31 @@ +From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001 +From: Sutou Kouhei +Date: Thu, 24 Oct 2024 14:45:31 +0900 +Subject: [PATCH] parser: fix a bug that �x...; is accepted as a character + reference + +--- + lib/rexml/parsers/baseparser.rb | 10 +++++++--- + test/parse/test_character_reference.rb | 6 ++++++ + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb +index 7bd8adf..b4547ba 100644 +--- a/lib/rexml/parsers/baseparser.rb ++++ b/lib/rexml/parsers/baseparser.rb +@@ -469,8 +469,12 @@ def unnormalize( string, entities=nil, filter=nil ) + return rv if matches.size == 0 +- rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { ++ rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { + m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ if m.start_with?("x") ++ code_point = Integer(m[1..-1], 16) ++ else ++ code_point = Integer(m, 10) ++ end ++ [code_point].pack('U*') + } + matches.collect!{|x|x[0]}.compact! + if matches.size > 0