fix CVE-2024-41946

(cherry picked from commit 5382b8bbf4665b8895534a220b6d3e9ac1810f13)
2024-08-08 16:19:47 +08:00 · 2024-08-08 16:19:47 +08:00 · b47d92a0ee
commit b47d92a0ee
parent fae123144f
2 changed files with 117 additions and 1 deletions
--- a/backport-CVE-2024-41946.patch
+++ b/backport-CVE-2024-41946.patch
@ -0,0 +1,112 @@
+From 033d1909a8f259d5a7c53681bcaf14f13bcf0368 Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Thu, 1 Aug 2024 09:20:31 +0900
+Subject: [PATCH] Add support for XML entity expansion limitation in SAX and
+ pull parsers (#187)
+https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
+
+- Supported `REXML::Security.entity_expansion_limit=` in SAX and pull parsers
+- Supported `REXML::Security.entity_expansion_text_limit=` in SAX and pull parsers
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 19 ++++++-
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb |  4 ++
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb |  4 ++
+ 3 files changed, 26 insertions(+), 1 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 54014e5..c4ddee3 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -154,6 +154,7 @@ module REXML
+         self.stream = source
+         @listeners = []
+         @prefixes = Set.new
+        @entity_expansion_count = 0
+       end
+ 
+       def add_listener( listener )
+@@ -161,6 +162,7 @@ module REXML
+       end
+ 
+       attr_reader :source
+      attr_reader :entity_expansion_count
+ 
+       def stream=( source )
+         @source = SourceFactory.create_from( source )
+@@ -513,7 +515,9 @@ module REXML
+       def entity( reference, entities )
+         value = nil
+         value = entities[ reference ] if entities
+-        if not value
+        if value
+          record_entity_expansion
+        else
+           value = DEFAULT_ENTITIES[ reference ]
+           value = value[2] if value
+         end
+@@ -552,12 +556,17 @@ module REXML
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0
+          sum = 0
+           matches.each do |entity_reference|
+             unless filter and filter.include?(entity_reference)
+               entity_value = entity( entity_reference, entities )
+               if entity_value
+                 re = Private::DEFAULT_ENTITIES_PATTERNS[entity_reference] || /&#{entity_reference};/
+                 rv.gsub!( re, entity_value )
+                sum += rv.bytesize
+                if sum > Security.entity_expansion_text_limit
+                  raise "entity expansion has grown too large"
+                end
+               else
+                 er = DEFAULT_ENTITIES[entity_reference]
+                 rv.gsub!( er[0], er[2] ) if er
+@@ -570,6 +579,14 @@ module REXML
+       end
+ 
+       private
+
+      def record_entity_expansion
+        @entity_expansion_count += 1
+        if @entity_expansion_count > Security.entity_expansion_limit
+          raise "number of entity expansions exceeded, processing aborted."
+        end
+      end
+
+       def need_source_encoding_update?(xml_declaration_encoding)
+         return false if xml_declaration_encoding.nil?
+         return false if /\AUTF-16\z/i =~ xml_declaration_encoding
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb
+index f8b232a..36b4595 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb
+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb
+@@ -47,6 +47,10 @@ module REXML
+         @listeners << listener
+       end
+ 
+      def entity_expansion_count
+        @parser.entity_expansion_count
+      end
+
+       def each
+         while has_next?
+           yield self.pull
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb
+index 36f98c2..cec9d2f 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb
+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb
+@@ -22,6 +22,10 @@ module REXML
+         @parser.source
+       end
+ 
+      def entity_expansion_count
+        @parser.entity_expansion_count
+      end
+
+       def add_listener( listener )
+         @parser.add_listener( listener )
+       end
+-- 
+2.20.1
+
--- a/ruby.spec
+++ b/ruby.spec
@ -33,7 +33,7 @@

 Name:      ruby
 Version:   %{ruby_version}
-Release:   142
+Release:   143
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/en/
@ -98,6 +98,7 @@ Patch6021: backport-0003-CVE-2024-35221.patch
 Patch6022: backport-0004-CVE-2024-35221.patch
 Patch6023: backport-0005-CVE-2024-35221.patch
 Patch6024: upgrade-lib-rexml-to-3.3.1.patch
+Patch6025: backport-CVE-2024-41946.patch

 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@ -883,6 +884,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %{gem_dir}/specifications/matrix-%{matrix_version}.gemspec

 %changelog
+* Thu Aug 08 2024 zhangxianting <zhangxianting@uniontech.com> - 3.2.2-143
+- fix CVE-2024-41946
+
 * Sat Jul 06 2024 shixuantong <shixuantong1@huawei.com> - 3.2.2-142
 - upgrade rexml to fix CVE-2024-35176