ruby: fix CVE-2024-35176

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a
denial of service vulnerability when it parses an XML that has many
`<`s in an attribute value. Those who need to parse untrusted XMLs
may be impacted to this vulnerability. The REXML gem 3.2.7 or later
include the patch to fix this vulnerability. As a workaround, don't
parse untrusted XMLs.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-35176

Upstream-patch:
https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb

(From OE-Core rev: a89fcaf0c3ac2afd95e836bc1356832296135696)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

1 files changed, 1 insertions, 0 deletions

diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index 19641e5a51..6a381b2e40 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -53,6 +53,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
            file://CVE-2024-43398-0003.patch \
            file://CVE-2025-27221-0001.patch \
            file://CVE-2025-27221-0002.patch \
+           file://CVE-2024-35176.patch \
            "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"