rubygem-rexml: patch CVE-2024-49761

Patch adapted from ruby/rexml@ce59f2e which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 Needed for rubygem-rexml versions < 3.3.9 Signed-off-by: Saul Paredes <[email protected]>
microsoft · Nov 12, 2024 · 26b279c · 26b279c
1 parent 9aed52f
commit 26b279c
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 1 deletion.
diff --git a/SPECS/rubygem-rexml/CVE-2024-49761.patch b/SPECS/rubygem-rexml/CVE-2024-49761.patch
@@ -0,0 +1,46 @@
+From 67d11906da922cf0a9a5917f2f66c3cfb1472e4d Mon Sep 17 00:00:00 2001
+From: Saul Paredes <[email protected]>
+Date: Tue, 5 Nov 2024 09:55:45 -0800
+Subject: [PATCH] rubygem-rexml: patch CVE-2024-49761
+
+Patch adapted from https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
+which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761
+
+Needed for rubygem-rexml versions < 3.3.9
+
+Signed-off-by: Saul Paredes <[email protected]>
+---
+ lib/rexml/parsers/baseparser.rb | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
+index 28810bf..7a7d370 100644
+--- a/lib/rexml/parsers/baseparser.rb
++++ b/lib/rexml/parsers/baseparser.rb
+@@ -133,7 +133,7 @@ module REXML
+         PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
+         ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um
+         CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/
+-        CHARACTER_REFERENCES = /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/
++        CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/
+         DEFAULT_ENTITIES_PATTERNS = {}
+         default_entities = ['gt', 'lt', 'quot', 'apos', 'amp']
+         default_entities.each do |term|
+@@ -543,8 +543,12 @@ module REXML
+         return rv if matches.size == 0
+         rv.gsub!( Private::CHARACTER_REFERENCES ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
++          if m.start_with?("x")
++            code_point = Integer(m[1..-1], 16)
++          else
++            code_point = Integer(m, 10)
++          end
++          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0
+-- 
+2.25.1
+
diff --git a/SPECS/rubygem-rexml/rubygem-rexml.spec b/SPECS/rubygem-rexml/rubygem-rexml.spec
@@ -3,13 +3,14 @@
 Summary:        REXML is an XML toolkit for Ruby
 Name:           rubygem-%{gem_name}
 Version:        3.3.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Languages
 URL:            https://github.com/ruby/rexml
 Source0:        https://github.com/ruby/rexml/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
+Patch0:         CVE-2024-49761.patch
 BuildRequires:  git
 BuildRequires:  ruby
 Requires:       ruby(release)
@@ -34,6 +35,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
 %{gemdir}
 
 %changelog
+* Tue Nov 12 2024 Saul Paredes <[email protected]> - 3.3.4-2
+- Add patch for CVE-2024-49761
+
 * Fri Aug 9 2024 Bhagyashri Pathak <[email protected]> - 3.3.4-1
 - Upgrade to 3.3.4 to resolve CVE-2024-39908