diff --git a/SPECS/ruby/CVE-2024-49761.patch b/SPECS/ruby/CVE-2024-49761.patch new file mode 100644 index 00000000000..66914431c3c --- /dev/null +++ b/SPECS/ruby/CVE-2024-49761.patch @@ -0,0 +1,40 @@ +From 42ab972c3b93321be351539a24ee95d31523a35d Mon Sep 17 00:00:00 2001 +From: Saul Paredes +Date: Mon, 4 Nov 2024 12:40:10 -0800 +Subject: [PATCH] ruby: patch CVE-2024-49761 + +Patch adapted from https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f +which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 + +Needed for ruby versions < 3.2.0 + +Signed-off-by: Saul Paredes +--- + .../gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +index 305b120..4944074 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +@@ -467,10 +467,14 @@ module REXML + rv.gsub!( /\r\n?/, "\n" ) + matches = rv.scan( REFERENCE_RE ) + return rv if matches.size == 0 +- rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { ++ rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { + m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ if m.start_with?("x") ++ code_point = Integer(m[1..-1], 16) ++ else ++ code_point = Integer(m, 10) ++ end ++ [code_point].pack('U*') + } + matches.collect!{|x|x[0]}.compact! + if matches.size > 0 +-- +2.25.1 + diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec index ba84ca4d9c2..3ef3be440b3 100644 --- a/SPECS/ruby/ruby.spec +++ b/SPECS/ruby/ruby.spec @@ -83,7 +83,7 @@ Name: ruby # provides should be versioned according to the ruby version. # More info: https://stdgems.org/ Version: 3.1.4 -Release: 7%{?dist} +Release: 8%{?dist} License: (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD Vendor: Microsoft Corporation Distribution: Mariner @@ -106,6 +106,8 @@ Patch3: CVE-2024-27282.patch Patch4: CVE-2024-35176.patch # Patch no longer needed if REXML gem is 3.3.3 or later. Now is 3.2.5 Patch5: CVE-2024-41946.patch +# Patch no longer needed if REXML gem is 3.3.9 or later. Now is 3.2.5 +Patch6: CVE-2024-49761.patch BuildRequires: openssl-devel BuildRequires: readline BuildRequires: readline-devel @@ -408,6 +410,9 @@ sudo -u test make test TESTS="-v" %{_rpmconfigdir}/rubygems.con %changelog +* Mon Nov 04 2024 Saul Paredes - 3.1.4-8 +- Patch CVE-2024-49761 + * Thu Sep 19 2024 Harshit Gupta - 3.1.4-7 - Patch CVE-2024-41946 diff --git a/SPECS/rubygem-rexml/CVE-2024-49761.patch b/SPECS/rubygem-rexml/CVE-2024-49761.patch new file mode 100644 index 00000000000..420561274da --- /dev/null +++ b/SPECS/rubygem-rexml/CVE-2024-49761.patch @@ -0,0 +1,40 @@ +From 73938fa3d122d9110b6128711af90667ecc7321a Mon Sep 17 00:00:00 2001 +From: Saul Paredes +Date: Mon, 4 Nov 2024 12:37:13 -0800 +Subject: [PATCH] rubygem-rexml: patch CVE-2024-49761 + +Patch adapted from https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f +which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 + +Needed for rubygem-rexml versions < 3.3.9 + +Signed-off-by: Saul Paredes +--- + lib/rexml/parsers/baseparser.rb | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb +index d09237c..99e375c 100644 +--- a/lib/rexml/parsers/baseparser.rb ++++ b/lib/rexml/parsers/baseparser.rb +@@ -474,10 +474,14 @@ module REXML + rv = string.gsub( /\r\n?/, "\n" ) + matches = rv.scan( REFERENCE_RE ) + return rv if matches.size == 0 +- rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { ++ rv.gsub!( /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { + m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ if m.start_with?("x") ++ code_point = Integer(m[1..-1], 16) ++ else ++ code_point = Integer(m, 10) ++ end ++ [code_point].pack('U*') + } + matches.collect!{|x|x[0]}.compact! + if matches.size > 0 +-- +2.25.1 + diff --git a/SPECS/rubygem-rexml/rubygem-rexml.spec b/SPECS/rubygem-rexml/rubygem-rexml.spec index b9bfdb3b1c3..34f782b8c3d 100644 --- a/SPECS/rubygem-rexml/rubygem-rexml.spec +++ b/SPECS/rubygem-rexml/rubygem-rexml.spec @@ -3,7 +3,7 @@ Summary: REXML is an XML toolkit for Ruby Name: rubygem-%{gem_name} Version: 3.2.7 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -11,6 +11,7 @@ Group: Development/Languages URL: https://github.com/ruby/rexml Source0: https://github.com/ruby/rexml/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz Patch0: CVE-2024-41946.patch +Patch1: CVE-2024-49761.patch BuildRequires: git BuildRequires: ruby Requires: ruby(release) @@ -35,6 +36,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}- %{gemdir} %changelog +* Mon Nov 04 2024 Saul Paredes - 3.2.7-3 +- Add patch for CVE-2024-49761 + * Thu Sep 19 2024 Harshit Gupta - 3.2.7-2 - Add patch for CVE-2024-41946