From 754891e57b4cf73916342684f984ea1a1a03dcf2 Mon Sep 17 00:00:00 2001 From: Saul Paredes Date: Fri, 8 Nov 2024 15:32:48 -0800 Subject: [PATCH 1/3] ruby: update to 3.3.5 to resolve CVE-2024-39908 Also remove CVE-2024-41946.patch as it no longer applies as ruby 3.3.5 containers rubygem-rexml 3.3.6, where CVE-2024-41946 is already fixed Signed-off-by: Saul Paredes --- SPECS/ruby/CVE-2024-41946.patch | 111 -------------------------------- SPECS/ruby/ruby.signatures.json | 2 +- SPECS/ruby/ruby.spec | 34 +++++----- cgmanifest.json | 4 +- 4 files changed, 21 insertions(+), 130 deletions(-) delete mode 100644 SPECS/ruby/CVE-2024-41946.patch diff --git a/SPECS/ruby/CVE-2024-41946.patch b/SPECS/ruby/CVE-2024-41946.patch deleted file mode 100644 index 63e3c821d91..00000000000 --- a/SPECS/ruby/CVE-2024-41946.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 8f46a0155b5ff647fef8314b0b36491ea2d7de7b Mon Sep 17 00:00:00 2001 -From: Harshit Gupta -Date: Wed, 18 Sep 2024 09:34:21 -0700 -Subject: [PATCH] Patch for CVE-2024-41946 - -Based on upstream commit -https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368 - ---- - lib/rexml/parsers/baseparser.rb | 19 ++++++++++++++++++- - lib/rexml/parsers/pullparser.rb | 4 ++++ - lib/rexml/parsers/sax2parser.rb | 4 ++++ - 3 files changed, 26 insertions(+), 1 deletion(-) - -diff --git a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb -index d09237c..61f6787 100644 ---- a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb -+++ b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb -@@ -128,6 +128,7 @@ module REXML - def initialize( source ) - self.stream = source - @listeners = [] -+ @entity_expansion_count = 0 - end - - def add_listener( listener ) -@@ -135,6 +136,7 @@ module REXML - end - - attr_reader :source -+ attr_reader :entity_expansion_count - - def stream=( source ) - @source = SourceFactory.create_from( source ) -@@ -446,7 +448,9 @@ module REXML - def entity( reference, entities ) - value = nil - value = entities[ reference ] if entities -- if not value -+ if value -+ record_entity_expansion -+ else - value = DEFAULT_ENTITIES[ reference ] - value = value[2] if value - end -@@ -481,12 +485,17 @@ module REXML - } - matches.collect!{|x|x[0]}.compact! - if matches.size > 0 -+ sum = 0 - matches.each do |entity_reference| - unless filter and filter.include?(entity_reference) - entity_value = entity( entity_reference, entities ) - if entity_value - re = /&#{entity_reference};/ - rv.gsub!( re, entity_value ) -+ sum += rv.bytesize -+ if sum > Security.entity_expansion_text_limit -+ raise "entity expansion has grown too large" -+ end - else - er = DEFAULT_ENTITIES[entity_reference] - rv.gsub!( er[0], er[2] ) if er -@@ -499,6 +508,14 @@ module REXML - end - - private -+ -+ def record_entity_expansion -+ @entity_expansion_count += 1 -+ if @entity_expansion_count > Security.entity_expansion_limit -+ raise "number of entity expansions exceeded, processing aborted." -+ end -+ end -+ - def need_source_encoding_update?(xml_declaration_encoding) - return false if xml_declaration_encoding.nil? - return false if /\AUTF-16\z/i =~ xml_declaration_encoding -diff --git a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/pullparser.rb b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/pullparser.rb -index f8b232a..36b4595 100644 ---- a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/pullparser.rb -+++ b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/pullparser.rb -@@ -47,6 +47,10 @@ module REXML - @listeners << listener - end - -+ def entity_expansion_count -+ @parser.entity_expansion_count -+ end -+ - def each - while has_next? - yield self.pull -diff --git a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/sax2parser.rb b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/sax2parser.rb -index 6a24ce2..01cb469 100644 ---- a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/sax2parser.rb -+++ b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/sax2parser.rb -@@ -22,6 +22,10 @@ module REXML - @parser.source - end - -+ def entity_expansion_count -+ @parser.entity_expansion_count -+ end -+ - def add_listener( listener ) - @parser.add_listener( listener ) - end --- -2.34.1 - diff --git a/SPECS/ruby/ruby.signatures.json b/SPECS/ruby/ruby.signatures.json index 9eb2f74004c..d996802d5e9 100644 --- a/SPECS/ruby/ruby.signatures.json +++ b/SPECS/ruby/ruby.signatures.json @@ -7,6 +7,6 @@ "rubygems.con": "eb804c6b50eeafdb2172285265bc487a80acaa9846233cd5f1d20a25f1dac2ea", "rubygems.prov": "b79c1f5873dd20d251e100b276a5e584c1fb677f3e1b92534fc09130fabe8ee5", "rubygems.req": "e85681d8fa45d214055f3b26a8c1829b3a4bd67b26a5ef3c1f6426e7eff83ad0", - "ruby-3.3.3.tar.gz": "83c05b2177ee9c335b631b29b8c077b4770166d02fa527f3a9f6a40d13f3cce2" + "ruby-3.3.5.tar.gz": "3781a3504222c2f26cb4b9eb9c1a12dbf4944d366ce24a9ff8cf99ecbce75196" } } diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec index 9a384802039..4fecd34ea53 100644 --- a/SPECS/ruby/ruby.spec +++ b/SPECS/ruby/ruby.spec @@ -4,17 +4,17 @@ %global gem_dir %{_datadir}/ruby/gems # Default package version defined separately, because the %%version macro gets overwritten by 'Version' tags of the subpackages. -%global ruby_version 3.3.3 +%global ruby_version 3.3.5 %define ruby_version_majmin %(echo %{ruby_version} | cut -d. -f1-2) -%global rubygems_version 3.5.3 +%global rubygems_version 3.5.22 # Add version for default gems from https://stdgems.org/ # A helpful one-liner script to check the current default versions is available via RUBY_VER=%%{ruby_version_majmin} ./get_gem_versions.sh %global abbrev_version 0.1.2 %global base64_version 0.2.0 %global benchmark_version 0.3.0 %global bigdecimal_version 3.1.5 -%global bundler_version 2.5.3 +%global bundler_version 2.5.22 %global cgi_version 0.4.1 %global csv_version 3.2.8 %global date_version 3.3.4 @@ -32,15 +32,14 @@ %global find_version 0.2.0 %global forwardable_version 1.3.3 %global getoptlong_version 0.2.1 -%global io_console_version 0.7.1 +%global io_console_version 0.7.2 %global io_nonblock_version 0.3.0 %global io_wait_version 0.3.1 %global ipaddr_version 1.2.6 -%global irb_version 1.11.0 -%global json_version 2.7.1 +%global irb_version 1.13.1 %global logger_version 1.6.0 %global mutex_m_version 0.2.0 -%global net_http_version 0.4.0 +%global net_http_version 0.4.1 %global net_protocol_version 0.2.2 %global nkf_version 0.1.3 %global observer_version 0.1.2 @@ -55,9 +54,9 @@ %global prettyprint_version 0.2.0 %global pstore_version 0.1.3 %global psych_version 5.1.2 -%global rdoc_version 6.6.2 +%global rdoc_version 6.6.3.1 %global readline_version 0.0.4 -%global reline_version 0.4.1 +%global reline_version 0.5.10 %global resolv_version 0.3.0 %global resolv_replace_version 0.1.1 %global rinda_version 0.2.0 @@ -66,21 +65,21 @@ %global set_version 1.1.0 %global shellwords_version 0.2.0 %global singleton_version 0.2.0 -%global stringio_version 3.1.0 -%global strscan_version 3.0.7 +%global stringio_version 3.1.1 +%global strscan_version 3.0.9 %global syslog_version 0.1.2 -%global syntax_suggest_version 2.0.0 +%global syntax_suggest_version 2.0.1 %global tempfile_version 0.2.1 %global time_version 0.3.0 %global timeout_version 0.4.1 %global tmpdir_version 0.2.0 %global tsort_version 0.2.0 %global un_version 0.3.0 -%global uri_version 0.13.0 +%global uri_version 0.13.1 %global weakref_version 0.1.3 %global win32ole_version 1.8.10 %global yaml_version 0.3.0 -%global zlib_version 3.1.0 +%global zlib_version 3.1.1 Summary: Ruby Name: ruby @@ -88,7 +87,7 @@ Name: ruby # provides should be versioned according to the ruby version. # More info: https://stdgems.org/ Version: %{ruby_version} -Release: 2%{?dist} +Release: 1%{?dist} License: (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -102,7 +101,6 @@ Source4: rubygems.con Source5: rubygems.prov Source6: rubygems.req Source7: macros.rubygems -Patch0: CVE-2024-41946.patch # Updates default ruby-uri to 0.12.2 and vendored one to 0.10.3. Remove once ruby gets updated to a version that comes with both lib/uri/version.rb and lib/bundler/vendor/uri/lib/uri/version.rb versions >= 0.12.2 or == 0.10.3 BuildRequires: openssl-devel # Pkgconfig(yaml-0.1) is needed to build the 'psych' gem. @@ -408,6 +406,10 @@ sudo -u test make test TESTS="-v" %{_rpmconfigdir}/rubygems.con %changelog +* Fri Nov 08 2024 Saul Paredes - 3.3.5-1 +- Upgrade ruby to 3.3.5 to resolve CVE-2024-39908 +- Remove CVE-2024-41946.patch as it no longer applies as ruby 3.3.5 containers rubygem-rexml 3.3.6, where CVE-2024-41946 is already fixed + * Wed Sep 18 2024 Harshit Gupta - 3.3.3-2 - Revert ruby back to 3.3.3 to avoid build failure of rubygems-* packages - Add patch for CVE-2024-41946 for bundled gem rexml diff --git a/cgmanifest.json b/cgmanifest.json index a9d5a0d1157..73f5b145f48 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -25894,8 +25894,8 @@ "type": "other", "other": { "name": "ruby", - "version": "3.3.3", - "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.3.tar.gz" + "version": "3.3.5", + "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.5.tar.gz" } } }, From d4fb30b977b26a26e84a6d86f6df84a4e0cce6c8 Mon Sep 17 00:00:00 2001 From: Saul Paredes Date: Tue, 12 Nov 2024 12:49:21 -0800 Subject: [PATCH 2/3] ruby: patch CVE-2024-49761 Patch adapted from https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 Needed for rubygem-rexml versions < 3.3.9 Signed-off-by: Saul Paredes --- SPECS/ruby/CVE-2024-49761.patch | 46 +++++++++++++++++++++++++++++++++ SPECS/ruby/ruby.spec | 2 ++ 2 files changed, 48 insertions(+) create mode 100644 SPECS/ruby/CVE-2024-49761.patch diff --git a/SPECS/ruby/CVE-2024-49761.patch b/SPECS/ruby/CVE-2024-49761.patch new file mode 100644 index 00000000000..c0c666e570a --- /dev/null +++ b/SPECS/ruby/CVE-2024-49761.patch @@ -0,0 +1,46 @@ +From 51474a44f41e1e26cac2168922034f675851855d Mon Sep 17 00:00:00 2001 +From: Saul Paredes +Date: Tue, 12 Nov 2024 12:30:10 -0800 +Subject: [PATCH] ruby: patch CVE-2024-49761 Patch adapted from + https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f + which fixes CVE-2024-49761 per + https://nvd.nist.gov/vuln/detail/CVE-2024-49761 + +Needed for rubygem-rexml versions < 3.3.9 + +Signed-off-by: Saul Paredes +--- + .../gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/.bundle/gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb +index d11c276..e9ab0ee 100644 +--- a/.bundle/gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb ++++ b/.bundle/gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb +@@ -150,7 +150,7 @@ module REXML + PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>" + ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um + CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/ +- CHARACTER_REFERENCES = /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ++ CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ + DEFAULT_ENTITIES_PATTERNS = {} + default_entities = ['gt', 'lt', 'quot', 'apos', 'amp'] + default_entities.each do |term| +@@ -564,8 +564,12 @@ module REXML + return rv if matches.size == 0 + rv.gsub!( Private::CHARACTER_REFERENCES ) { + m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ if m.start_with?("x") ++ code_point = Integer(m[1..-1], 16) ++ else ++ code_point = Integer(m, 10) ++ end ++ [code_point].pack('U*') + } + matches.collect!{|x|x[0]}.compact! + if filter +-- +2.25.1 + diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec index 4fecd34ea53..0bdaa4a5577 100644 --- a/SPECS/ruby/ruby.spec +++ b/SPECS/ruby/ruby.spec @@ -101,6 +101,7 @@ Source4: rubygems.con Source5: rubygems.prov Source6: rubygems.req Source7: macros.rubygems +Patch0: CVE-2024-49761.patch # Updates default ruby-uri to 0.12.2 and vendored one to 0.10.3. Remove once ruby gets updated to a version that comes with both lib/uri/version.rb and lib/bundler/vendor/uri/lib/uri/version.rb versions >= 0.12.2 or == 0.10.3 BuildRequires: openssl-devel # Pkgconfig(yaml-0.1) is needed to build the 'psych' gem. @@ -409,6 +410,7 @@ sudo -u test make test TESTS="-v" * Fri Nov 08 2024 Saul Paredes - 3.3.5-1 - Upgrade ruby to 3.3.5 to resolve CVE-2024-39908 - Remove CVE-2024-41946.patch as it no longer applies as ruby 3.3.5 containers rubygem-rexml 3.3.6, where CVE-2024-41946 is already fixed +- Patch CVE-2024-49761 * Wed Sep 18 2024 Harshit Gupta - 3.3.3-2 - Revert ruby back to 3.3.3 to avoid build failure of rubygems-* packages From ff19fcd95741690f7b2cb941ac52ca788f6686d7 Mon Sep 17 00:00:00 2001 From: Saul Paredes Date: Tue, 12 Nov 2024 12:50:06 -0800 Subject: [PATCH 3/3] rubygem-rexml: patch CVE-2024-49761 Patch adapted from https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 Needed for rubygem-rexml versions < 3.3.9 Signed-off-by: Saul Paredes --- SPECS/rubygem-rexml/CVE-2024-49761.patch | 46 ++++++++++++++++++++++++ SPECS/rubygem-rexml/rubygem-rexml.spec | 6 +++- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 SPECS/rubygem-rexml/CVE-2024-49761.patch diff --git a/SPECS/rubygem-rexml/CVE-2024-49761.patch b/SPECS/rubygem-rexml/CVE-2024-49761.patch new file mode 100644 index 00000000000..b62688134a5 --- /dev/null +++ b/SPECS/rubygem-rexml/CVE-2024-49761.patch @@ -0,0 +1,46 @@ +From 67d11906da922cf0a9a5917f2f66c3cfb1472e4d Mon Sep 17 00:00:00 2001 +From: Saul Paredes +Date: Tue, 5 Nov 2024 09:55:45 -0800 +Subject: [PATCH] rubygem-rexml: patch CVE-2024-49761 + +Patch adapted from https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f +which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 + +Needed for rubygem-rexml versions < 3.3.9 + +Signed-off-by: Saul Paredes +--- + lib/rexml/parsers/baseparser.rb | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb +index 28810bf..7a7d370 100644 +--- a/lib/rexml/parsers/baseparser.rb ++++ b/lib/rexml/parsers/baseparser.rb +@@ -133,7 +133,7 @@ module REXML + PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>" + ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um + CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/ +- CHARACTER_REFERENCES = /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ++ CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ + DEFAULT_ENTITIES_PATTERNS = {} + default_entities = ['gt', 'lt', 'quot', 'apos', 'amp'] + default_entities.each do |term| +@@ -543,8 +543,12 @@ module REXML + return rv if matches.size == 0 + rv.gsub!( Private::CHARACTER_REFERENCES ) { + m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ if m.start_with?("x") ++ code_point = Integer(m[1..-1], 16) ++ else ++ code_point = Integer(m, 10) ++ end ++ [code_point].pack('U*') + } + matches.collect!{|x|x[0]}.compact! + if matches.size > 0 +-- +2.25.1 + diff --git a/SPECS/rubygem-rexml/rubygem-rexml.spec b/SPECS/rubygem-rexml/rubygem-rexml.spec index 135c0b1b3eb..31b34d836eb 100644 --- a/SPECS/rubygem-rexml/rubygem-rexml.spec +++ b/SPECS/rubygem-rexml/rubygem-rexml.spec @@ -3,13 +3,14 @@ Summary: REXML is an XML toolkit for Ruby Name: rubygem-%{gem_name} Version: 3.3.4 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux Group: Development/Languages URL: https://github.com/ruby/rexml Source0: https://github.com/ruby/rexml/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz +Patch0: CVE-2024-49761.patch BuildRequires: git BuildRequires: ruby Requires: ruby(release) @@ -34,6 +35,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}- %{gemdir} %changelog +* Tue Nov 12 2024 Saul Paredes - 3.3.4-2 +- Add patch for CVE-2024-49761 + * Fri Aug 9 2024 Bhagyashri Pathak - 3.3.4-1 - Upgrade to 3.3.4 to resolve CVE-2024-39908