-
Notifications
You must be signed in to change notification settings - Fork 546
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Patch adapted from ruby/rexml@ce59f2e which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 Needed for ruby versions < 3.2.0 Signed-off-by: Saul Paredes <[email protected]>
- Loading branch information
Showing
2 changed files
with
46 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
From 42ab972c3b93321be351539a24ee95d31523a35d Mon Sep 17 00:00:00 2001 | ||
From: Saul Paredes <[email protected]> | ||
Date: Mon, 4 Nov 2024 12:40:10 -0800 | ||
Subject: [PATCH] ruby: patch CVE-2024-49761 | ||
|
||
Patch adapted from https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f | ||
which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 | ||
|
||
Needed for ruby versions < 3.2.0 | ||
|
||
Signed-off-by: Saul Paredes <[email protected]> | ||
--- | ||
.../gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 10 +++++++--- | ||
1 file changed, 7 insertions(+), 3 deletions(-) | ||
|
||
diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | ||
index 305b120..4944074 100644 | ||
--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | ||
+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | ||
@@ -467,10 +467,14 @@ module REXML | ||
rv.gsub!( /\r\n?/, "\n" ) | ||
matches = rv.scan( REFERENCE_RE ) | ||
return rv if matches.size == 0 | ||
- rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { | ||
+ rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { | ||
m=$1 | ||
- m = "0#{m}" if m[0] == ?x | ||
- [Integer(m)].pack('U*') | ||
+ if m.start_with?("x") | ||
+ code_point = Integer(m[1..-1], 16) | ||
+ else | ||
+ code_point = Integer(m, 10) | ||
+ end | ||
+ [code_point].pack('U*') | ||
} | ||
matches.collect!{|x|x[0]}.compact! | ||
if matches.size > 0 | ||
-- | ||
2.25.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -88,7 +88,7 @@ Name: ruby | |
# provides should be versioned according to the ruby version. | ||
# More info: https://stdgems.org/ | ||
Version: %{ruby_version} | ||
Release: 2%{?dist} | ||
Release: 3%{?dist} | ||
License: (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD | ||
Vendor: Microsoft Corporation | ||
Distribution: Azure Linux | ||
|
@@ -104,6 +104,8 @@ Source6: rubygems.req | |
Source7: macros.rubygems | ||
Patch0: CVE-2024-41946.patch | ||
# Updates default ruby-uri to 0.12.2 and vendored one to 0.10.3. Remove once ruby gets updated to a version that comes with both lib/uri/version.rb and lib/bundler/vendor/uri/lib/uri/version.rb versions >= 0.12.2 or == 0.10.3 | ||
# Patch no longer needed if REXML gem is 3.3.9 or later. Now is 3.2.5 | ||
Patch1: CVE-2024-49761.patch | ||
BuildRequires: openssl-devel | ||
# Pkgconfig(yaml-0.1) is needed to build the 'psych' gem. | ||
BuildRequires: pkgconfig(yaml-0.1) | ||
|
@@ -408,6 +410,9 @@ sudo -u test make test TESTS="-v" | |
%{_rpmconfigdir}/rubygems.con | ||
|
||
%changelog | ||
* Tue Nov 5 2024 Saul Paredes <[email protected]> - 3.1.4-3 | ||
- Patch CVE-2024-49761 | ||
|
||
* Wed Sep 18 2024 Harshit Gupta <[email protected]> - 3.3.3-2 | ||
- Revert ruby back to 3.3.3 to avoid build failure of rubygems-* packages | ||
- Add patch for CVE-2024-41946 for bundled gem rexml | ||
|