ruby: patch CVE-2024-49761

Patch adapted from ruby/rexml@ce59f2e which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 Needed for rubygem-rexml versions < 3.3.9 Signed-off-by: Saul Paredes <[email protected]>
microsoft · Nov 7, 2024 · 11af426 · 11af426
1 parent 7c02211
commit 11af426
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 2 deletions.
diff --git a/SPECS/ruby/CVE-2024-49761.patch b/SPECS/ruby/CVE-2024-49761.patch
@@ -0,0 +1,40 @@
+From e4f434feea921a17031eb8ff09790c2952b7e7c5 Mon Sep 17 00:00:00 2001
+From: Saul Paredes <[email protected]>
+Date: Tue, 5 Nov 2024 12:01:30 -0800
+Subject: [PATCH] ruby: patch CVE-2024-49761 Patch adapted from
+ https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
+ which fixes CVE-2024-49761 per
+ https://nvd.nist.gov/vuln/detail/CVE-2024-49761
+
+Needed for rubygem-rexml versions < 3.3.9
+
+Signed-off-by: Saul Paredes <[email protected]>
+---
+ .../gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb   | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb
+index d09237c..99e375c 100644
+--- a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb
+@@ -474,10 +474,14 @@ module REXML
+         rv = string.gsub( /\r\n?/, "\n" )
+         matches = rv.scan( REFERENCE_RE )
+         return rv if matches.size == 0
+-        rv.gsub!( /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
++        rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
++          if m.start_with?("x")
++            code_point = Integer(m[1..-1], 16)
++          else
++            code_point = Integer(m, 10)
++          end
++          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0
+-- 
+2.25.1
+
diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec
@@ -88,7 +88,7 @@ Name:           ruby
 # provides should be versioned according to the ruby version.
 # More info: https://stdgems.org/
 Version:        %{ruby_version}
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -104,6 +104,8 @@ Source6:        rubygems.req
 Source7:        macros.rubygems
 Patch0:         CVE-2024-41946.patch
 # Updates default ruby-uri to 0.12.2 and vendored one to 0.10.3. Remove once ruby gets updated to a version that comes with both lib/uri/version.rb and lib/bundler/vendor/uri/lib/uri/version.rb versions >= 0.12.2 or == 0.10.3
+# Patch no longer needed if REXML gem is 3.3.9 or later. Now is 3.2.8
+Patch1:         CVE-2024-49761.patch
 BuildRequires:  openssl-devel
 # Pkgconfig(yaml-0.1) is needed to build the 'psych' gem.
 BuildRequires:  pkgconfig(yaml-0.1)
@@ -408,6 +410,9 @@ sudo -u test make test TESTS="-v"
 %{_rpmconfigdir}/rubygems.con
 
 %changelog
+* Tue Nov 05 2024 Saul Paredes <[email protected]> - 3.1.4-3
+- Patch CVE-2024-49761
+
 * Wed Sep 18 2024 Harshit Gupta <[email protected]> - 3.3.3-2
 - Revert ruby back to 3.3.3 to avoid build failure of rubygems-* packages
 - Add patch for CVE-2024-41946 for bundled gem rexml

diff --git a/SPECS/rubygem-rexml/rubygem-rexml.spec b/SPECS/rubygem-rexml/rubygem-rexml.spec
@@ -35,7 +35,7 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
 %{gemdir}
 
 %changelog
-* Tue Nov 5 2024 Saul Paredes <[email protected]> - 3.2.7-2
+* Tue Nov 05 2024 Saul Paredes <[email protected]> - 3.2.7-2
 - Add patch for CVE-2024-49761
 
 * Fri Aug 9 2024 Bhagyashri Pathak <[email protected]> - 3.3.4-1