-
Notifications
You must be signed in to change notification settings - Fork 546
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Patch adapted from ruby/rexml@ce59f2e which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 Needed for rubygem-rexml versions < 3.3.9 Signed-off-by: Saul Paredes <[email protected]>
- Loading branch information
Showing
2 changed files
with
50 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
From 67d11906da922cf0a9a5917f2f66c3cfb1472e4d Mon Sep 17 00:00:00 2001 | ||
From: Saul Paredes <[email protected]> | ||
Date: Tue, 5 Nov 2024 09:55:45 -0800 | ||
Subject: [PATCH] rubygem-rexml: patch CVE-2024-49761 | ||
|
||
Patch adapted from https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f | ||
which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 | ||
|
||
Needed for rubygem-rexml versions < 3.3.9 | ||
|
||
Signed-off-by: Saul Paredes <[email protected]> | ||
--- | ||
lib/rexml/parsers/baseparser.rb | 10 +++++++--- | ||
1 file changed, 7 insertions(+), 3 deletions(-) | ||
|
||
diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb | ||
index 28810bf..7a7d370 100644 | ||
--- a/lib/rexml/parsers/baseparser.rb | ||
+++ b/lib/rexml/parsers/baseparser.rb | ||
@@ -133,7 +133,7 @@ module REXML | ||
PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>" | ||
ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um | ||
CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/ | ||
- CHARACTER_REFERENCES = /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ | ||
+ CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ | ||
DEFAULT_ENTITIES_PATTERNS = {} | ||
default_entities = ['gt', 'lt', 'quot', 'apos', 'amp'] | ||
default_entities.each do |term| | ||
@@ -543,8 +543,12 @@ module REXML | ||
return rv if matches.size == 0 | ||
rv.gsub!( Private::CHARACTER_REFERENCES ) { | ||
m=$1 | ||
- m = "0#{m}" if m[0] == ?x | ||
- [Integer(m)].pack('U*') | ||
+ if m.start_with?("x") | ||
+ code_point = Integer(m[1..-1], 16) | ||
+ else | ||
+ code_point = Integer(m, 10) | ||
+ end | ||
+ [code_point].pack('U*') | ||
} | ||
matches.collect!{|x|x[0]}.compact! | ||
if matches.size > 0 | ||
-- | ||
2.25.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,6 +10,7 @@ Distribution: Azure Linux | |
Group: Development/Languages | ||
URL: https://github.com/ruby/rexml | ||
Source0: https://github.com/ruby/rexml/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz | ||
Patch0: CVE-2024-49761.patch | ||
BuildRequires: git | ||
BuildRequires: ruby | ||
Requires: ruby(release) | ||
|
@@ -34,6 +35,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}- | |
%{gemdir} | ||
|
||
%changelog | ||
* Tue Nov 12 2024 Saul Paredes <[email protected]> - 3.3.4-2 | ||
- Add patch for CVE-2024-49761 | ||
|
||
* Fri Aug 9 2024 Bhagyashri Pathak <[email protected]> - 3.3.4-1 | ||
- Upgrade to 3.3.4 to resolve CVE-2024-39908 | ||
|
||
|