import UBI ruby-2.5.9-113.module+el8.10.0+22581+23fc9c9e
This commit is contained in:
parent
7718972607
commit
f0e26e6691
31
SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
Normal file
31
SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
|
||||
From: Sutou Kouhei <kou@clear-code.com>
|
||||
Date: Thu, 24 Oct 2024 14:45:31 +0900
|
||||
Subject: [PATCH] parser: fix a bug that �x...; is accepted as a character
|
||||
reference
|
||||
|
||||
---
|
||||
lib/rexml/parsers/baseparser.rb | 10 +++++++---
|
||||
test/parse/test_character_reference.rb | 6 ++++++
|
||||
2 files changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
|
||||
index 7bd8adf..b4547ba 100644
|
||||
--- a/lib/rexml/parsers/baseparser.rb
|
||||
+++ b/lib/rexml/parsers/baseparser.rb
|
||||
@@ -492,8 +492,12 @@ def unnormalize( string, entities=nil, filter=nil )
|
||||
return rv if matches.size == 0
|
||||
- rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
|
||||
+ rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
|
||||
m=$1
|
||||
- m = "0#{m}" if m[0] == ?x
|
||||
- [Integer(m)].pack('U*')
|
||||
+ if m.start_with?("x")
|
||||
+ code_point = Integer(m[1..-1], 16)
|
||||
+ else
|
||||
+ code_point = Integer(m, 10)
|
||||
+ end
|
||||
+ [code_point].pack('U*')
|
||||
}
|
||||
matches.collect!{|x|x[0]}.compact!
|
||||
if matches.size > 0
|
@ -21,7 +21,7 @@
|
||||
%endif
|
||||
|
||||
|
||||
%global release 112
|
||||
%global release 113
|
||||
|
||||
%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
|
||||
|
||||
@ -266,6 +266,10 @@ Patch48: rubygem-strscan-1.0.2-Accept-String-as-a-pattern.patch
|
||||
# https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
|
||||
# https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420
|
||||
Patch49: rubygem-rexml-3.2.9-Fix-CVE-2024-35176-DoS-in-REXML.patch
|
||||
# Tests not included, this Ruby release does not include the specific
|
||||
# test file to patch.
|
||||
# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
|
||||
Patch50: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
|
||||
|
||||
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
@ -686,6 +690,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
|
||||
%patch47 -p1
|
||||
%patch48 -p1
|
||||
%patch49 -p1
|
||||
%patch50 -p1
|
||||
|
||||
# Provide an example of usage of the tapset:
|
||||
cp -a %{SOURCE3} .
|
||||
@ -1250,6 +1255,10 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
|
||||
%{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec
|
||||
|
||||
%changelog
|
||||
* Tue Nov 26 2024 Jarek Prokop <jprokop@redhat.com> - 2.5.9-113
|
||||
- Fix REXML ReDoS vulnerability. (CVE-2024-49761)
|
||||
Resolves: RHEL-68515
|
||||
|
||||
* Tue May 21 2024 Jarek Prokop <jprokop@redhat.com> - 2.5.9-112
|
||||
- Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755.
|
||||
(CVE-2023-36617)
|
||||
|
Loading…
Reference in New Issue
Block a user