summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/ruby
diff options
context:
space:
mode:
authorDivya Chellam <divya.chellam@windriver.com>2025-11-20 15:07:21 +0530
committerSteve Sakoman <steve@sakoman.com>2025-12-01 06:50:49 -0800
commit7c4bd642e4ce30e2a7504fcd4fe12fca2f6b91e1 (patch)
tree0b9dc76d00656cfee053160028a8ee5f30ab395f /meta/recipes-devtools/ruby
parentf58483837ce2ebfaf71ba4f8b75db5f6acc405a3 (diff)
downloadpoky-7c4bd642e4ce30e2a7504fcd4fe12fca2f6b91e1.tar.gz
ruby: fix CVE-2024-39908
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings. Reference: https://security-tracker.debian.org/tracker/CVE-2024-39908 Upstream-patches: https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420 https://github.com/ruby/rexml/commit/d146162e9a61574499d10428bc0065754cd26601 https://github.com/ruby/rexml/commit/b5bf109a599ea733663150e99c09eb44046b41dd https://github.com/ruby/rexml/commit/b8a5f4cd5c8fe29c65d7a00e67170223d9d2b50e https://github.com/ruby/rexml/commit/0af55fa49d4c9369f90f239a9571edab800ed36e https://github.com/ruby/rexml/commit/c1b64c174ec2e8ca2174c51332670e3be30c865f https://github.com/ruby/rexml/commit/9f1415a2616c77cad44a176eee90e8457b4774b6 https://github.com/ruby/rexml/commit/c33ea498102be65082940e8b7d6d31cb2c6e6ee2 https://github.com/ruby/rexml/commit/a79ac8b4b42a9efabe33a0be31bd82d33fd50347 https://github.com/ruby/rexml/commit/67efb5951ed09dbb575c375b130a1e469f437d1f https://github.com/ruby/rexml/commit/1f1e6e9b40bf339894e843dfd679c2fb1a5ddbf2 https://github.com/ruby/rexml/commit/910e5a2b487cb5a30989884a39f9cad2cc499cfc (From OE-Core rev: 6e0b70843422cd7cdb25a9e1520dd64bf701fea6) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/ruby')
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0001.patch46
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0002.patch130
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0003.patch46
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0004.patch76
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0005.patch87
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0006.patch44
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0007.patch44
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0008.patch44
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0009.patch36
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0010.patch53
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0011.patch35
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0012.patch36
-rw-r--r--meta/recipes-devtools/ruby/ruby_3.1.3.bb12
13 files changed, 689 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0001.patch
new file mode 100644
index 0000000000..44d3e1dffe
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0001.patch
@@ -0,0 +1,46 @@
1From f1df7d13b3e57a5e059273d2f0870163c08d7420 Mon Sep 17 00:00:00 2001
2From: Sutou Kouhei <kou@clear-code.com>
3Date: Mon, 20 May 2024 12:17:27 +0900
4Subject: [PATCH] Add support for old strscan
5
6Fix GH-132
7
8If we support old strscan, users can also use strscan installed as a
9default gem.
10
11Reported by Adam. Thanks!!!
12
13CVE: CVE-2024-39908
14
15Upstream-Status: Backport [https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420]
16
17Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
18---
19 .../gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 11 +++++++++++
20 1 file changed, 11 insertions(+)
21
22diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
23index eab942d..8ea8b43 100644
24--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
25+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
26@@ -7,6 +7,17 @@ require "strscan"
27
28 module REXML
29 module Parsers
30+ if StringScanner::Version < "3.0.8"
31+ module StringScannerCaptures
32+ refine StringScanner do
33+ def captures
34+ values_at(*(1...size))
35+ end
36+ end
37+ end
38+ using StringScannerCaptures
39+ end
40+
41 # = Using the Pull Parser
42 # <em>This API is experimental, and subject to change.</em>
43 # parser = PullParser.new( "<a>text<b att='val'/>txet</a>" )
44--
452.40.0
46
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0002.patch
new file mode 100644
index 0000000000..25a9e70891
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0002.patch
@@ -0,0 +1,130 @@
1From d146162e9a61574499d10428bc0065754cd26601 Mon Sep 17 00:00:00 2001
2From: NAITOH Jun <naitoh@gmail.com>
3Date: Mon, 4 Mar 2024 05:24:53 +0900
4Subject: [PATCH] Remove `Source#string=` method (#117)
5
6We want to just change scan pointer.
7
8https://github.com/ruby/rexml/pull/114#discussion_r1501773803
9> I want to just change scan pointer (`StringScanner#pos=`) instead of
10changing `@scanner.string`.
11
12CVE: CVE-2024-39908
13
14Upstream-Status: Backport [https://github.com/ruby/rexml/commit/d146162e9a61574499d10428bc0065754cd26601]
15
16Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
17---
18 .../lib/rexml/parsers/baseparser.rb | 19 +++++++++++--------
19 .bundle/gems/rexml-3.2.5/lib/rexml/source.rb | 8 ++++++--
20 2 files changed, 17 insertions(+), 10 deletions(-)
21
22diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
23index 8ea8b43..81415a8 100644
24--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
25+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
26@@ -231,8 +231,9 @@ module REXML
27 #STDERR.puts @source.encoding
28 #STDERR.puts "BUFFER = #{@source.buffer.inspect}"
29 if @document_status == nil
30+ start_position = @source.position
31 if @source.match("<?", true)
32- return process_instruction
33+ return process_instruction(start_position)
34 elsif @source.match("<!", true)
35 if @source.match("--", true)
36 return [ :comment, @source.match(/(.*?)-->/um, true)[1] ]
37@@ -244,7 +245,7 @@ module REXML
38 else
39 message = "#{base_error_message}: invalid name"
40 end
41- @source.string = "<!DOCTYPE" + @source.buffer
42+ @source.position = start_position
43 raise REXML::ParseException.new(message, @source)
44 end
45 name = parse_name(base_error_message)
46@@ -285,6 +286,7 @@ module REXML
47 end
48 if @document_status == :in_doctype
49 @source.match(/\s*/um, true) # skip spaces
50+ start_position = @source.position
51 if @source.match("<!", true)
52 if @source.match("ELEMENT", true)
53 md = @source.match(/(.*?)>/um, true)
54@@ -344,7 +346,7 @@ module REXML
55 else
56 message = "#{base_error_message}: invalid name"
57 end
58- @source.string = " <!NOTATION" + @source.buffer
59+ @source.position = start_position
60 raise REXML::ParseException.new(message, @source)
61 end
62 name = parse_name(base_error_message)
63@@ -374,6 +376,7 @@ module REXML
64 @source.match(/\s*/um, true)
65 end
66 begin
67+ start_position = @source.position
68 if @source.match("<", true)
69 if @source.match("/", true)
70 @namespaces_restore_stack.pop
71@@ -386,7 +389,7 @@ module REXML
72 if md.nil? or last_tag != md[1]
73 message = "Missing end tag for '#{last_tag}'"
74 message += " (got '#{md[1]}')" if md
75- @source.string = "</" + @source.buffer if md.nil?
76+ @source.position = start_position if md.nil?
77 raise REXML::ParseException.new(message, @source)
78 end
79 return [ :end_element, last_tag ]
80@@ -410,12 +413,12 @@ module REXML
81 raise REXML::ParseException.new( "Declarations can only occur "+
82 "in the doctype declaration.", @source)
83 elsif @source.match("?", true)
84- return process_instruction
85+ return process_instruction(start_position)
86 else
87 # Get the next tag
88 md = @source.match(TAG_PATTERN, true)
89 unless md
90- @source.string = "<" + @source.buffer
91+ @source.position = start_position
92 raise REXML::ParseException.new("malformed XML: missing tag start", @source)
93 end
94 tag = md[1]
95@@ -641,11 +644,11 @@ module REXML
96 end
97 end
98
99- def process_instruction
100+ def process_instruction(start_position)
101 match_data = @source.match(INSTRUCTION_END, true)
102 unless match_data
103 message = "Invalid processing instruction node"
104- @source.string = "<?" + @source.buffer
105+ @source.position = start_position
106 raise REXML::ParseException.new(message, @source)
107 end
108 if @document_status.nil? and match_data[1] == "xml"
109diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
110index 7132147..b20cc4f 100644
111--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
112+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
113@@ -80,8 +80,12 @@ module REXML
114 end
115 end
116
117- def string=(string)
118- @scanner.string = string
119+ def position
120+ @scanner.pos
121+ end
122+
123+ def position=(pos)
124+ @scanner.pos = pos
125 end
126
127 # @return true if the Source is exhausted
128--
1292.40.0
130
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0003.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0003.patch
new file mode 100644
index 0000000000..4208555c3c
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0003.patch
@@ -0,0 +1,46 @@
1From b5bf109a599ea733663150e99c09eb44046b41dd Mon Sep 17 00:00:00 2001
2From: Hiroya Fujinami <make.just.on@gmail.com>
3Date: Thu, 13 Jun 2024 15:12:32 +0900
4Subject: [PATCH] Add a "malformed comment" check for top-level comments (#145)
5
6This check was missing. Therefore, `REXML::Document.new("<!--")` raised
7the ``undefined method `[]' for nil`` error, for example.
8
9This PR also adds tests for "malformed comment" checks.
10
11---------
12
13Co-authored-by: Sutou Kouhei <kou@cozmixng.org>
14
15CVE: CVE-2024-39908
16
17Upstream-Status: Backport [https://github.com/ruby/rexml/commit/b5bf109a599ea733663150e99c09eb44046b41dd]
18
19Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
20---
21 .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 9 ++++++++-
22 1 file changed, 8 insertions(+), 1 deletion(-)
23
24diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
25index 81415a8..49c313c 100644
26--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
27+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
28@@ -236,7 +236,14 @@ module REXML
29 return process_instruction(start_position)
30 elsif @source.match("<!", true)
31 if @source.match("--", true)
32- return [ :comment, @source.match(/(.*?)-->/um, true)[1] ]
33+ md = @source.match(/(.*?)-->/um, true)
34+ if md.nil?
35+ raise REXML::ParseException.new("Unclosed comment", @source)
36+ end
37+ if /--|-\z/.match?(md[1])
38+ raise REXML::ParseException.new("Malformed comment", @source)
39+ end
40+ return [ :comment, md[1] ]
41 elsif @source.match("DOCTYPE", true)
42 base_error_message = "Malformed DOCTYPE"
43 unless @source.match(/\s+/um, true)
44--
452.40.0
46
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0004.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0004.patch
new file mode 100644
index 0000000000..11a4c1ca54
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0004.patch
@@ -0,0 +1,76 @@
1From b8a5f4cd5c8fe29c65d7a00e67170223d9d2b50e Mon Sep 17 00:00:00 2001
2From: Watson <watson1978@gmail.com>
3Date: Tue, 16 Jul 2024 10:48:53 +0900
4Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
5 inside `<?xml` (#170)
6
7A `<` is treated as a string delimiter.
8In certain cases, if `<` is used in succession, read and match are
9repeated, which slows down the process. Therefore, the following is used
10to read ahead to a specific part of the string in advance.
11
12CVE: CVE-2024-39908
13
14Upstream-Status: Backport [https://github.com/ruby/rexml/commit/b8a5f4cd5c8fe29c65d7a00e67170223d9d2b50e]
15
16Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
17---
18 .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 3 ++-
19 .bundle/gems/rexml-3.2.5/lib/rexml/source.rb | 6 +++---
20 2 files changed, 5 insertions(+), 4 deletions(-)
21
22diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
23index 49c313c..767e134 100644
24--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
25+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
26@@ -125,6 +125,7 @@ module REXML
27
28 module Private
29 INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
30+ INSTRUCTION_TERM = "?>"
31 TAG_PATTERN = /((?>#{QNAME_STR}))\s*/um
32 CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
33 ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
34@@ -652,7 +653,7 @@ module REXML
35 end
36
37 def process_instruction(start_position)
38- match_data = @source.match(INSTRUCTION_END, true)
39+ match_data = @source.match(Private::INSTRUCTION_END, true, term: Private::INSTRUCTION_TERM)
40 unless match_data
41 message = "Invalid processing instruction node"
42 @source.position = start_position
43diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
44index b20cc4f..08a035c 100644
45--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
46+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
47@@ -72,7 +72,7 @@ module REXML
48 @scanner.scan_until(Regexp.union(term)) or @scanner.rest
49 end
50
51- def match(pattern, cons=false)
52+ def match(pattern, cons=false, term: nil)
53 if cons
54 @scanner.scan(pattern).nil? ? nil : @scanner
55 else
56@@ -184,7 +184,7 @@ module REXML
57 end
58 end
59
60- def match( pattern, cons=false )
61+ def match( pattern, cons=false, term: nil )
62 read if @scanner.eos? && @source
63 while true
64 if cons
65@@ -195,7 +195,7 @@ module REXML
66 break if md
67 return nil if pattern.is_a?(String) && pattern.bytesize <= @scanner.rest_size
68 return nil if @source.nil?
69- return nil unless read
70+ return nil unless read(term)
71 end
72
73 md.nil? ? nil : @scanner
74--
752.40.0
76
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0005.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0005.patch
new file mode 100644
index 0000000000..0726927865
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0005.patch
@@ -0,0 +1,87 @@
1From 0af55fa49d4c9369f90f239a9571edab800ed36e Mon Sep 17 00:00:00 2001
2From: Watson <watson1978@gmail.com>
3Date: Tue, 16 Jul 2024 10:57:39 +0900
4Subject: [PATCH] Fix ReDoS caused by very large character references using
5 repeated 0s (#169)
6
7This patch will fix the ReDoS that is caused by large string of 0s on a
8character reference (like `&#00000000...`).
9
10This is occurred in Ruby 3.1 or earlier.
11
12CVE: CVE-2024-39908
13
14Upstream-Status: Backport [https://github.com/ruby/rexml/commit/0af55fa49d4c9369f90f239a9571edab800ed36e]
15
16Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
17---
18 .bundle/gems/rexml-3.2.5/lib/rexml/text.rb | 48 +++++++++++++++-------
19 1 file changed, 34 insertions(+), 14 deletions(-)
20
21diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/text.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/text.rb
22index 050b09c..0957d70 100644
23--- a/.bundle/gems/rexml-3.2.5/lib/rexml/text.rb
24+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/text.rb
25@@ -151,25 +151,45 @@ module REXML
26 end
27 end
28
29- # context sensitive
30- string.scan(pattern) do
31- if $1[-1] != ?;
32- raise "Illegal character #{$1.inspect} in raw string #{string.inspect}"
33- elsif $1[0] == ?&
34- if $5 and $5[0] == ?#
35- case ($5[1] == ?x ? $5[2..-1].to_i(16) : $5[1..-1].to_i)
36- when *VALID_CHAR
37+ pos = 0
38+ while (index = string.index(/<|&/, pos))
39+ if string[index] == "<"
40+ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
41+ end
42+
43+ unless (end_index = string.index(/[^\s];/, index + 1))
44+ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
45+ end
46+
47+ value = string[(index + 1)..end_index]
48+ if /\s/.match?(value)
49+ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
50+ end
51+
52+ if value[0] == "#"
53+ character_reference = value[1..-1]
54+
55+ unless (/\A(\d+|x[0-9a-fA-F]+)\z/.match?(character_reference))
56+ if character_reference[0] == "x" || character_reference[-1] == "x"
57+ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
58 else
59- raise "Illegal character #{$1.inspect} in raw string #{string.inspect}"
60+ raise "Illegal character #{string.inspect} in raw string #{string.inspect}"
61 end
62- # FIXME: below can't work but this needs API change.
63- # elsif @parent and $3 and !SUBSTITUTES.include?($1)
64- # if !doctype or !doctype.entities.has_key?($3)
65- # raise "Undeclared entity '#{$1}' in raw string \"#{string}\""
66- # end
67 end
68+
69+ case (character_reference[0] == "x" ? character_reference[1..-1].to_i(16) : character_reference[0..-1].to_i)
70+ when *VALID_CHAR
71+ else
72+ raise "Illegal character #{string.inspect} in raw string #{string.inspect}"
73+ end
74+ elsif !(/\A#{Entity::NAME}\z/um.match?(value))
75+ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
76 end
77+
78+ pos = end_index + 1
79 end
80+
81+ string
82 end
83
84 def node_type
85--
862.40.0
87
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0006.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0006.patch
new file mode 100644
index 0000000000..9d78112edd
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0006.patch
@@ -0,0 +1,44 @@
1From c1b64c174ec2e8ca2174c51332670e3be30c865f Mon Sep 17 00:00:00 2001
2From: Watson <watson1978@gmail.com>
3Date: Tue, 16 Jul 2024 10:57:50 +0900
4Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
5 inside comments (#171)
6
7A `<` is treated as a string delimiter.
8In certain cases, if `<` is used in succession, read and match are
9repeated, which slows down the process. Therefore, the following is used
10to read ahead to a specific part of the string in advance.
11
12CVE: CVE-2024-39908
13
14Upstream-Status: Backport [https://github.com/ruby/rexml/commit/c1b64c174ec2e8ca2174c51332670e3be30c865f]
15
16Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
17---
18 .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 3 ++-
19 1 file changed, 2 insertions(+), 1 deletion(-)
20
21diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
22index 767e134..81753ad 100644
23--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
24+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
25@@ -126,6 +126,7 @@ module REXML
26 module Private
27 INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
28 INSTRUCTION_TERM = "?>"
29+ COMMENT_TERM = "-->"
30 TAG_PATTERN = /((?>#{QNAME_STR}))\s*/um
31 CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
32 ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
33@@ -237,7 +238,7 @@ module REXML
34 return process_instruction(start_position)
35 elsif @source.match("<!", true)
36 if @source.match("--", true)
37- md = @source.match(/(.*?)-->/um, true)
38+ md = @source.match(/(.*?)-->/um, true, term: Private::COMMENT_TERM)
39 if md.nil?
40 raise REXML::ParseException.new("Unclosed comment", @source)
41 end
42--
432.40.0
44
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0007.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0007.patch
new file mode 100644
index 0000000000..bb2325bbbd
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0007.patch
@@ -0,0 +1,44 @@
1From 9f1415a2616c77cad44a176eee90e8457b4774b6 Mon Sep 17 00:00:00 2001
2From: Watson <watson1978@gmail.com>
3Date: Tue, 16 Jul 2024 11:04:40 +0900
4Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
5 inside `CDATA [ PAYLOAD ]` (#172)
6
7A `<` is treated as a string delimiter.
8In certain cases, if `<` is used in succession, read and match are
9repeated, which slows down the process. Therefore, the following is used
10to read ahead to a specific part of the string in advance.
11
12CVE: CVE-2024-39908
13
14Upstream-Status: Backport [https://github.com/ruby/rexml/commit/9f1415a2616c77cad44a176eee90e8457b4774b6]
15
16Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
17---
18 .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 3 ++-
19 1 file changed, 2 insertions(+), 1 deletion(-)
20
21diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
22index 81753ad..c907f8c 100644
23--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
24+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
25@@ -127,6 +127,7 @@ module REXML
26 INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
27 INSTRUCTION_TERM = "?>"
28 COMMENT_TERM = "-->"
29+ CDATA_TERM = "]]>"
30 TAG_PATTERN = /((?>#{QNAME_STR}))\s*/um
31 CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
32 ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
33@@ -416,7 +417,7 @@ module REXML
34
35 return [ :comment, md[1] ] if md
36 else
37- md = @source.match(/\[CDATA\[(.*?)\]\]>/um, true)
38+ md = @source.match(/\[CDATA\[(.*?)\]\]>/um, true, term: Private::CDATA_TERM)
39 return [ :cdata, md[1] ] if md
40 end
41 raise REXML::ParseException.new( "Declarations can only occur "+
42--
432.40.0
44
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0008.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0008.patch
new file mode 100644
index 0000000000..e9413ba2c0
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0008.patch
@@ -0,0 +1,44 @@
1From c33ea498102be65082940e8b7d6d31cb2c6e6ee2 Mon Sep 17 00:00:00 2001
2From: Watson <watson1978@gmail.com>
3Date: Tue, 16 Jul 2024 11:11:17 +0900
4Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
5 after ` <!DOCTYPE name` (#173)
6
7A `<` is treated as a string delimiter.
8In certain cases, if `<` is used in succession, read and match are
9repeated, which slows down the process. Therefore, the following is used
10to read ahead to a specific part of the string in advance.
11
12CVE: CVE-2024-39908
13
14Upstream-Status: Backport [https://github.com/ruby/rexml/commit/c33ea498102be65082940e8b7d6d31cb2c6e6ee2]
15
16Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
17---
18 .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 3 ++-
19 1 file changed, 2 insertions(+), 1 deletion(-)
20
21diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
22index c907f8c..5391e0a 100644
23--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
24+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
25@@ -128,6 +128,7 @@ module REXML
26 INSTRUCTION_TERM = "?>"
27 COMMENT_TERM = "-->"
28 CDATA_TERM = "]]>"
29+ DOCTYPE_TERM = "]>"
30 TAG_PATTERN = /((?>#{QNAME_STR}))\s*/um
31 CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
32 ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
33@@ -375,7 +376,7 @@ module REXML
34 end
35 return [ :comment, md[1] ] if md
36 end
37- elsif match = @source.match(/(%.*?;)\s*/um, true)
38+ elsif match = @source.match(/(%.*?;)\s*/um, true, term: Private::DOCTYPE_TERM)
39 return [ :externalentity, match[1] ]
40 elsif @source.match(/\]\s*>/um, true)
41 @document_status = :after_doctype
42--
432.40.0
44
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0009.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0009.patch
new file mode 100644
index 0000000000..1de0551879
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0009.patch
@@ -0,0 +1,36 @@
1From a79ac8b4b42a9efabe33a0be31bd82d33fd50347 Mon Sep 17 00:00:00 2001
2From: Watson <watson1978@gmail.com>
3Date: Tue, 16 Jul 2024 11:18:11 +0900
4Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
5 inside `<!DOCTYPE root [<!-- PAYLOAD -->]>` (#174)
6
7A `<` is treated as a string delimiter.
8In certain cases, if `<` is used in succession, read and match are
9repeated, which slows down the process. Therefore, the following is used
10to read ahead to a specific part of the string in advance.
11
12CVE: CVE-2024-39908
13
14Upstream-Status: Backport [https://github.com/ruby/rexml/commit/a79ac8b4b42a9efabe33a0be31bd82d33fd50347]
15
16Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
17---
18 .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
22index 5391e0a..c22b632 100644
23--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
24+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
25@@ -369,7 +369,7 @@ module REXML
26 raise REXML::ParseException.new(message, @source)
27 end
28 return [:notationdecl, name, *id]
29- elsif md = @source.match(/--(.*?)-->/um, true)
30+ elsif md = @source.match(/--(.*?)-->/um, true, term: Private::COMMENT_TERM)
31 case md[1]
32 when /--/, /-\z/
33 raise REXML::ParseException.new("Malformed comment", @source)
34--
352.40.0
36
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0010.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0010.patch
new file mode 100644
index 0000000000..a46ba171de
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0010.patch
@@ -0,0 +1,53 @@
1From 67efb5951ed09dbb575c375b130a1e469f437d1f Mon Sep 17 00:00:00 2001
2From: Watson <watson1978@gmail.com>
3Date: Tue, 16 Jul 2024 11:26:57 +0900
4Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
5 inside `<!DOCTYPE name [<!ENTITY>]>` (#175)
6
7A `<` is treated as a string delimiter.
8In certain cases, if `<` is used in succession, read and match are
9repeated, which slows down the process. Therefore, the following is used
10to read ahead to a specific part of the string in advance.
11
12CVE: CVE-2024-39908
13
14Upstream-Status: Backport [https://github.com/ruby/rexml/commit/67efb5951ed09dbb575c375b130a1e469f437d1f]
15
16Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
17---
18 .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 8 ++++++--
19 1 file changed, 6 insertions(+), 2 deletions(-)
20
21diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
22index c22b632..c4de254 100644
23--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
24+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
25@@ -124,11 +124,15 @@ module REXML
26 }
27
28 module Private
29- INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
30+ # Terminal requires two or more letters.
31 INSTRUCTION_TERM = "?>"
32 COMMENT_TERM = "-->"
33 CDATA_TERM = "]]>"
34 DOCTYPE_TERM = "]>"
35+ # Read to the end of DOCTYPE because there is no proper ENTITY termination
36+ ENTITY_TERM = DOCTYPE_TERM
37+
38+ INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
39 TAG_PATTERN = /((?>#{QNAME_STR}))\s*/um
40 CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
41 ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
42@@ -304,7 +308,7 @@ module REXML
43 raise REXML::ParseException.new( "Bad ELEMENT declaration!", @source ) if md.nil?
44 return [ :elementdecl, "<!ELEMENT" + md[1] ]
45 elsif @source.match("ENTITY", true)
46- match = [:entitydecl, *@source.match(ENTITYDECL_PATTERN, true).captures.compact]
47+ match = [:entitydecl, *@source.match(Private::ENTITYDECL_PATTERN, true, term: Private::ENTITY_TERM).captures.compact]
48 ref = false
49 if match[1] == '%'
50 ref = true
51--
522.40.0
53
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0011.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0011.patch
new file mode 100644
index 0000000000..505007af9a
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0011.patch
@@ -0,0 +1,35 @@
1From 1f1e6e9b40bf339894e843dfd679c2fb1a5ddbf2 Mon Sep 17 00:00:00 2001
2From: Watson <watson1978@gmail.com>
3Date: Tue, 16 Jul 2024 11:35:41 +0900
4Subject: [PATCH] Fix ReDoS by using repeated space characters inside
5 `<!DOCTYPE name [<!ATTLIST>]>` (#176)
6
7Fix performance by removing unnecessary spaces.
8
9This is occurred in Ruby 3.1 or earlier.
10
11CVE: CVE-2024-39908
12
13Upstream-Status: Backport [https://github.com/ruby/rexml/commit/1f1e6e9b40bf339894e843dfd679c2fb1a5ddbf2]
14
15Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
16---
17 .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
21index c4de254..a9b1b44 100644
22--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
23+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
24@@ -340,7 +340,7 @@ module REXML
25 contents = md[0]
26
27 pairs = {}
28- values = md[0].scan( ATTDEF_RE )
29+ values = md[0].strip.scan( ATTDEF_RE )
30 values.each do |attdef|
31 unless attdef[3] == "#IMPLIED"
32 attdef.compact!
33--
342.40.0
35
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0012.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0012.patch
new file mode 100644
index 0000000000..5a7cbe18dc
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0012.patch
@@ -0,0 +1,36 @@
1From 910e5a2b487cb5a30989884a39f9cad2cc499cfc Mon Sep 17 00:00:00 2001
2From: Watson <watson1978@gmail.com>
3Date: Tue, 16 Jul 2024 11:36:05 +0900
4Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
5 inside `<xml><!-- --></xml>` (#177)
6
7A `<` is treated as a string delimiter.
8In certain cases, if `<` is used in succession, read and match are
9repeated, which slows down the process. Therefore, the following is used
10to read ahead to a specific part of the string in advance.
11
12CVE: CVE-2024-39908
13
14Upstream-Status: Backport [https://github.com/ruby/rexml/commit/910e5a2b487cb5a30989884a39f9cad2cc499cfc]
15
16Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
17---
18 .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
22index a9b1b44..4864ba1 100644
23--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
24+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
25@@ -413,7 +413,7 @@ module REXML
26 #STDERR.puts "SOURCE BUFFER = #{source.buffer}, #{source.buffer.size}"
27 raise REXML::ParseException.new("Malformed node", @source) unless md
28 if md[0][0] == ?-
29- md = @source.match(/--(.*?)-->/um, true)
30+ md = @source.match(/--(.*?)-->/um, true, term: Private::COMMENT_TERM)
31
32 case md[1]
33 when /--/, /-\z/
34--
352.40.0
36
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index 6a381b2e40..f967cc6948 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -54,6 +54,18 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
54 file://CVE-2025-27221-0001.patch \ 54 file://CVE-2025-27221-0001.patch \
55 file://CVE-2025-27221-0002.patch \ 55 file://CVE-2025-27221-0002.patch \
56 file://CVE-2024-35176.patch \ 56 file://CVE-2024-35176.patch \
57 file://CVE-2024-39908-0001.patch \
58 file://CVE-2024-39908-0002.patch \
59 file://CVE-2024-39908-0003.patch \
60 file://CVE-2024-39908-0004.patch \
61 file://CVE-2024-39908-0005.patch \
62 file://CVE-2024-39908-0006.patch \
63 file://CVE-2024-39908-0007.patch \
64 file://CVE-2024-39908-0008.patch \
65 file://CVE-2024-39908-0009.patch \
66 file://CVE-2024-39908-0010.patch \
67 file://CVE-2024-39908-0011.patch \
68 file://CVE-2024-39908-0012.patch \
57 " 69 "
58UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" 70UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
59 71
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-03-21 00:29:24 +0000