packages/ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-49761

Browse Source
This commit is contained in:
shixuantong 2024-10-29 19:25:06 +08:00
parent 2c685aa253
commit 1c2d20f9fb
2 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
backport-CVE-2024-49761.patch Normal file
View File

@ -0,0 +1,38 @@
From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
From: Sutou Kouhei <kou@clear-code.com>
Date: Thu, 24 Oct 2024 14:45:31 +0900
Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character
reference
diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
index 7bd8adf..b4547ba 100644
--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
@@ -150,7 +150,7 @@ module REXML
PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um
CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/
- CHARACTER_REFERENCES = /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/
+ CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/
DEFAULT_ENTITIES_PATTERNS = {}
default_entities = ['gt', 'lt', 'quot', 'apos', 'amp']
default_entities.each do |term|
@@ -570,8 +570,12 @@ module REXML
return rv if matches.size == 0
rv.gsub!( Private::CHARACTER_REFERENCES ) {
m=$1
- m = "0#{m}" if m[0] == ?x
- [Integer(m)].pack('U*')
+ if m.start_with?("x")
+ code_point = Integer(m[1..-1], 16)
+ else
+ code_point = Integer(m, 10)
+ end
+ [code_point].pack('U*')
}
matches.collect!{|x|x[0]}.compact!
if filter
--
2.27.0

6
ruby.spec
View File

@ -33,7 +33,7 @@
Name: ruby Name: ruby
Version: %{ruby_version} Version: %{ruby_version}
Release: 146 Release: 147
Summary: Object-oriented scripting language interpreter Summary: Object-oriented scripting language interpreter
License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
URL: https://www.ruby-lang.org/en/ URL: https://www.ruby-lang.org/en/
@ -102,6 +102,7 @@ Patch6025: backport-CVE-2024-41946.patch
Patch6026: backport-CVE-2024-39908-CVE-2024-41123-upgrade-lib-rexml-to-3.3.3.patch Patch6026: backport-CVE-2024-39908-CVE-2024-41123-upgrade-lib-rexml-to-3.3.3.patch
Patch6027: backport-CVE-2024-43398-upgrade-lib-rexml-to-3.3.6.patch Patch6027: backport-CVE-2024-43398-upgrade-lib-rexml-to-3.3.6.patch
Patch6028: backport-CVE-2024-47220.patch Patch6028: backport-CVE-2024-47220.patch
Patch6029: backport-CVE-2024-49761.patch
Provides: %{name}-libs = %{version}-%{release} Provides: %{name}-libs = %{version}-%{release}
Obsoletes: %{name}-libs < %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release}
@ -887,6 +888,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
%{gem_dir}/specifications/matrix-%{matrix_version}.gemspec %{gem_dir}/specifications/matrix-%{matrix_version}.gemspec
%changelog %changelog
* Tue Oct 29 2024 shixuantong <shixuantong1@huawei.com> - 3.2.2-147
- fix CVE-2024-49761
* Tue Oct 08 2024 shixuantong <shixuantong1@huawei.com> - 3.2.2-146 * Tue Oct 08 2024 shixuantong <shixuantong1@huawei.com> - 3.2.2-146
- fix CVE-2024-47220 - fix CVE-2024-47220