rpms/ruby
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI ruby-2.5.9-113.module+el8.10.0+22581+23fc9c9e

Browse Source
This commit is contained in:
eabdullin 2024-12-05 18:25:07 +00:00
parent 7718972607
commit f0e26e6691
2 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
SOURCES/rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch Normal file
View File

@ -0,0 +1,31 @@
From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
From: Sutou Kouhei <kou@clear-code.com>
Date: Thu, 24 Oct 2024 14:45:31 +0900
Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character
reference
---
lib/rexml/parsers/baseparser.rb | 10 +++++++---
test/parse/test_character_reference.rb | 6 ++++++
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
index 7bd8adf..b4547ba 100644
--- a/lib/rexml/parsers/baseparser.rb
+++ b/lib/rexml/parsers/baseparser.rb
@@ -492,8 +492,12 @@ def unnormalize( string, entities=nil, filter=nil )
return rv if matches.size == 0
- rv.gsub!( /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+ rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
m=$1
- m = "0#{m}" if m[0] == ?x
- [Integer(m)].pack('U*')
+ if m.start_with?("x")
+ code_point = Integer(m[1..-1], 16)
+ else
+ code_point = Integer(m, 10)
+ end
+ [code_point].pack('U*')
}
matches.collect!{|x|x[0]}.compact!
if matches.size > 0

11
SPECS/ruby.spec
View File

@ -21,7 +21,7 @@
%endif %endif
%global release 112 %global release 113
%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
@ -266,6 +266,10 @@ Patch48: rubygem-strscan-1.0.2-Accept-String-as-a-pattern.patch
# https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb # https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
# https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420 # https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420
Patch49: rubygem-rexml-3.2.9-Fix-CVE-2024-35176-DoS-in-REXML.patch Patch49: rubygem-rexml-3.2.9-Fix-CVE-2024-35176-DoS-in-REXML.patch
# Tests not included, this Ruby release does not include the specific
# test file to patch.
# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
Patch50: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -686,6 +690,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
%patch47 -p1 %patch47 -p1
%patch48 -p1 %patch48 -p1
%patch49 -p1 %patch49 -p1
%patch50 -p1
# Provide an example of usage of the tapset: # Provide an example of usage of the tapset:
cp -a %{SOURCE3} . cp -a %{SOURCE3} .
@ -1250,6 +1255,10 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
%{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec
%changelog %changelog
* Tue Nov 26 2024 Jarek Prokop <jprokop@redhat.com> - 2.5.9-113
- Fix REXML ReDoS vulnerability. (CVE-2024-49761)
Resolves: RHEL-68515
* Tue May 21 2024 Jarek Prokop <jprokop@redhat.com> - 2.5.9-112 * Tue May 21 2024 Jarek Prokop <jprokop@redhat.com> - 2.5.9-112
- Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755. - Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755.
(CVE-2023-36617) (CVE-2023-36617)