ruby: fix CVE-2024-35176

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-35176 Upstream-patch: https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb (From OE-Core rev: a89fcaf0c3ac2afd95e836bc1356832296135696) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-06-01 13:09:50 +00:00 · 2025-11-20 15:07:20 +05:30
parent cdc78fd36f
commit f58483837c
2 changed files with 113 additions and 0 deletions
@@ -0,0 +1,112 @@
 From 4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb Mon Sep 17 00:00:00 2001
 From: Nobuyoshi Nakada <nobu@ruby-lang.org>
 Date: Thu, 16 May 2024 11:26:51 +0900
 Subject: [PATCH] Read quoted attributes in chunks (#126)
 CVE: CVE-2024-35176
 Upstream-Status: Backport [https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb]
 Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
 ---
 .../lib/rexml/parsers/baseparser.rb           | 20 ++++++-------
 .bundle/gems/rexml-3.2.5/lib/rexml/source.rb  | 29 +++++++++++++++----
 2 files changed, 34 insertions(+), 15 deletions(-)
 diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
 index b97beb3..eab942d 100644
 --- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
 +++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
@@ -675,17 +675,17 @@ module REXML
               message = "Missing attribute equal: <#{name}>"
               raise REXML::ParseException.new(message, @source)
             end
 -            unless match = @source.match(/(['"])(.*?)\1\s*/um, true)
 -              if match = @source.match(/(['"])/, true)
 -                message =
 -                  "Missing attribute value end quote: <#{name}>: <#{match[1]}>"
 -                raise REXML::ParseException.new(message, @source)
 -              else
 -                message = "Missing attribute value start quote: <#{name}>"
 -                raise REXML::ParseException.new(message, @source)
 -              end
 +            unless match = @source.match(/(['"])/, true)
 +              message = "Missing attribute value start quote: <#{name}>"
 +              raise REXML::ParseException.new(message, @source)
 +            end
 +            quote = match[1]
 +            value = @source.read_until(quote)
 +            unless value.chomp!(quote)
 +              message = "Missing attribute value end quote: <#{name}>: <#{quote}>"
 +              raise REXML::ParseException.new(message, @source)
             end
 -            value = match[2]
 +            @source.match(/\s*/um, true)
             if prefix == "xmlns"
               if local_part == "xml"
                 if value != "http://www.w3.org/XML/1998/namespace"
 diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
 index 4111d1d..7132147 100644
 --- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
 +++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
@@ -65,7 +65,11 @@ module REXML
       encoding_updated
     end
 -    def read
 +    def read(term = nil)
 +    end
 +
 +    def read_until(term)
 +      @scanner.scan_until(Regexp.union(term)) or @scanner.rest
     end
     def match(pattern, cons=false)
@@ -151,9 +155,9 @@ module REXML
       end
     end
 -    def read
 +    def read(term = nil)
       begin
 -        @scanner << readline
 +        @scanner << readline(term)
         true
       rescue Exception, NameError
         @source = nil
@@ -161,6 +165,21 @@ module REXML
       end
     end
 +    def read_until(term)
 +      pattern = Regexp.union(term)
 +      data = []
 +      begin
 +        until str = @scanner.scan_until(pattern)
 +          @scanner << readline(term)
 +        end
 +      rescue EOFError
 +        @scanner.rest
 +      else
 +        read if @scanner.eos? and !@source.eof?
 +        str
 +      end
 +    end
 +
     def match( pattern, cons=false )
       read if @scanner.eos? && @source
       while true
@@ -205,8 +224,8 @@ module REXML
     end
     private
 -    def readline
 -      str = @source.readline(@line_break)
 +    def readline(term = nil)
 +      str = @source.readline(term || @line_break)
       if @pending_buffer
         if str.nil?
           str = @pending_buffer
 -- 
 2.40.0
@@ -53,6 +53,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
           file://CVE-2024-43398-0003.patch \
           file://CVE-2025-27221-0001.patch \
           file://CVE-2025-27221-0002.patch \
           file://CVE-2024-35176.patch \
           "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"