1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-17 04:07:06 +00:00
Commit Graph

18 Commits

Author SHA1 Message Date
Divya Chellam 6639c7b295 ruby: fix CVE-2024-41123
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS
vulnerabilities when it parses an XML that has many specific characters
such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later
include the patches to fix these vulnerabilities.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41123

Upstream-patches:
https://github.com/ruby/rexml/commit/2c39c91a65d69357cfbc35dd8079b3606d86bb70
https://github.com/ruby/rexml/commit/4444a04ece4c02a7bd51e8c75623f22dc12d882b
https://github.com/ruby/rexml/commit/ebc3e85bfa2796fb4922c1932760bec8390ff87c
https://github.com/ruby/rexml/commit/6cac15d45864c8d70904baa5cbfcc97181000960
https://github.com/ruby/rexml/commit/e2546e6ecade16b04c9ee528e5be8509fe16c2d6

(From OE-Core rev: 6b2a2e689a69deef6098f6c266542234e46fb24b)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-12-01 06:50:49 -08:00
Divya Chellam 7c4bd642e4 ruby: fix CVE-2024-39908
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some
DoS vulnerabilities when it parses an XML that has many specific characters
such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be
impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the
patches to fix these vulnerabilities. Users are advised to upgrade. Users
unable to upgrade should avoid parsing untrusted XML strings.

Reference:
https://security-tracker.debian.org/tracker/CVE-2024-39908

Upstream-patches:
https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420
https://github.com/ruby/rexml/commit/d146162e9a61574499d10428bc0065754cd26601
https://github.com/ruby/rexml/commit/b5bf109a599ea733663150e99c09eb44046b41dd
https://github.com/ruby/rexml/commit/b8a5f4cd5c8fe29c65d7a00e67170223d9d2b50e
https://github.com/ruby/rexml/commit/0af55fa49d4c9369f90f239a9571edab800ed36e
https://github.com/ruby/rexml/commit/c1b64c174ec2e8ca2174c51332670e3be30c865f
https://github.com/ruby/rexml/commit/9f1415a2616c77cad44a176eee90e8457b4774b6
https://github.com/ruby/rexml/commit/c33ea498102be65082940e8b7d6d31cb2c6e6ee2
https://github.com/ruby/rexml/commit/a79ac8b4b42a9efabe33a0be31bd82d33fd50347
https://github.com/ruby/rexml/commit/67efb5951ed09dbb575c375b130a1e469f437d1f
https://github.com/ruby/rexml/commit/1f1e6e9b40bf339894e843dfd679c2fb1a5ddbf2
https://github.com/ruby/rexml/commit/910e5a2b487cb5a30989884a39f9cad2cc499cfc

(From OE-Core rev: 6e0b70843422cd7cdb25a9e1520dd64bf701fea6)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-12-01 06:50:49 -08:00
Divya Chellam f58483837c ruby: fix CVE-2024-35176
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a
denial of service vulnerability when it parses an XML that has many
`<`s in an attribute value. Those who need to parse untrusted XMLs
may be impacted to this vulnerability. The REXML gem 3.2.7 or later
include the patch to fix this vulnerability. As a workaround, don't
parse untrusted XMLs.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-35176

Upstream-patch:
https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb

(From OE-Core rev: a89fcaf0c3ac2afd95e836bc1356832296135696)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-12-01 06:50:49 -08:00
Rob Woolley 8fa7ff501e ruby: correct fix for CVE-2024-43398
The previous fix for CVE-2024-43398 did not include patches
to provide context for the changes it made.

This caused an exception at run-time when ruby parsed
rexml/parsers/baseparser.rb. This was first observed when using
ruby-native to build the sdformat recipe.

With these additional backports, the sdformat build proceeds
successfully. The REXML library was also tested manually on-target
with a script that used REXML::Document.new file to parse an
XML file.

(From OE-Core rev: 6bf00fde2d4043c6b558733a33041ce5694342d3)

Signed-off-by: Rob Woolley <rob.woolley@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-07-30 07:47:48 -07:00
Divya Chellam 32d2b233c6 ruby: fix CVE-2025-27221
In the URI gem before 1.0.3 for Ruby, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained even
after changing the host.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-27221

Upstream-patches:
https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495
https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5

(From OE-Core rev: c77ff1288719d90ef257dfe28cb33b3768fc124a)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-05-28 08:46:32 -07:00
Divya Chellam 6eba29d946 ruby: fix CVE-2024-43398
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS
vulnerability when it parses an XML that has many deep elements that have
same local name attributes. If you need to parse untrusted XMLs with tree
parser API like REXML::Document.new, you may be impacted to this vulnerability.
If you use other parser APIs such as stream parser API and SAX2 parser API,
this vulnerability is not affected. The REXML gem 3.3.6 or later include the
patch to fix the vulnerability.

Reference:
https://security-tracker.debian.org/tracker/CVE-2024-43398

Upstream-patch:
https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3

(From OE-Core rev: f23d1bfca0ea57150c397bc2e495191fb61423d0)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-04-18 08:30:51 -07:00
Ashish Sharma ef3aca9b21 ruby: Fix CVE-2025-27219
Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab]

(From OE-Core rev: 31d67739490ec2abf92328b3f0ceff22ce5d4974)

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-03-19 07:13:17 -07:00
Hitendra Prajapati fd0eb2db0e ruby: Fix CVE-2025-27220
Upstream-Status: Backport from https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6

(From OE-Core rev: 44665939783cb2b32f5ade1772e0ceef47f9a853)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-03-13 08:50:03 -07:00
Divya Chellam 138ab1c7df ruby: fix CVE-2024-41946
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS
vulnerability when it parses an XML that has many entity expansions
with SAX2 or pull parser API. The REXML gem 3.3.3 or later include
the patch to fix the vulnerability.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41946

Upstream-patch:
https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368

(From OE-Core rev: b0e74fd8922bba8e954a223ec46de5c33d2ff743)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-02-24 07:00:53 -08:00
Divya Chellam 61c55b9e30 ruby: fix CVE-2024-49761
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS
vulnerability when it parses an XML that has many digits between &# and x...;
in a hex numeric character reference (&#x.... This does not happen with
Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby.
The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

CVE-2024-49761-0009.patch is the CVE fix and rest are dependent commits.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-49761

Upstream-patch:
https://github.com/ruby/rexml/commit/810d2285235d5501a0a124f300832e6e9515da3c
https://github.com/ruby/rexml/commit/83ca5c4b0f76cf7b307dd1be1dc934e1e8199863
https://github.com/ruby/rexml/commit/51217dbcc64ecc34aa70f126b103bedf07e153fc
https://github.com/ruby/rexml/commit/7e4049f6a68c99c4efec2df117057ee080680c9f
https://github.com/ruby/rexml/commit/fc6cad570b849692a28f26a963ceb58edc282bbc
https://github.com/ruby/rexml/commit/77128555476cb0db798e2912fb3a07d6411dc320
https://github.com/ruby/rexml/commit/370666e314816b57ecd5878e757224c3b6bc93f5
https://github.com/ruby/rexml/commit/a579730f25ec7443796495541ec57c071b91805d
https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f

(From OE-Core rev: 5b453400e9dd878b81b1447d14b3f518809de17e)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-01-18 06:21:02 -08:00
Richard Purdie d91c2b204e ruby: Make docs generation deterministic
The presence or lack of nroff on the host was changing the doc type. Set it
explicitly to be deterministic and reproducible.

(From OE-Core rev: dd857d2519fd4f38c67a6fa0087f72798166467a)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f5053abb8957acf358b518ee3c76146dc5f4eb6c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2024-09-16 06:09:56 -07:00
Ashish Sharma 6d58d0c4a2 ruby: backport fix for CVE-2024-27282
Upstream-Status: Backport [https://github.com/ruby/ruby/commit/989a2355808a63fc45367785c82ffd46d18c900a]
(From OE-Core rev: 94a0350058e51c4b05bf5d4e02d048c2e6256725)

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2024-07-24 07:51:58 -07:00
Yogita Urade 52f1435174 ruby: fix CVE-2024-27280
A buffer-overread issue was discovered in StringIO 3.0.1, as
distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through
3.1.4. The ungetbyte and ungetc methods on a StringIO can
read past the end of a string, and a subsequent call to
StringIO.gets may return the memory value. 3.0.3 is the main
fixed version; however, for Ruby 3.0 users, a fixed version
is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version
is stringio 3.0.1.2.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-27280

(From OE-Core rev: 729310d17310dff955c51811ff3339fdbc017b95)

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2024-06-26 05:04:39 -07:00
Yogita Urade 70c869275a ruby: fix CVE-2024-27281
ruby: RCE vulnerability with .rdoc_options in RDoc

References:
https://github.com/ruby/ruby/pull/10316
https://security-tracker.debian.org/tracker/CVE-2024-27281

(From OE-Core rev: d01b73c51ceead4911a9a9306dbe728f1db2e029)

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2024-04-21 06:33:34 -07:00
Meenali Gupta a54b91946c ruby: fix CVE-2023-36617
Backport two patches [1] [2] to fix CVE-2023-36617

(From OE-Core rev: 7a40082e4e080eaf5f88bd24f7169b7731028529)

Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-09-30 09:43:59 -10:00
Mingli Yu 6cff3875fe ruby: Fix CVE-2023-28755
Backport patch [1] to fix CVE-2023-28755.

[1] https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300

(From OE-Core rev: 605634cf1adef2d9cf6dc6fdf17aa4032385497f)

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-05-03 04:17:12 -10:00
Hitendra Prajapati be5ebd6b3f ruby: CVE-2023-28756 ReDoS vulnerability in Time
Upstream-Status: Backport from https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e

(From OE-Core rev: 0f8eb0505e19ccd27e1b91f27285a9fc87f2aa93)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-04-26 04:03:21 -10:00
Alexander Kanavin 1aa3cb0169 ruby: update 3.1.2 -> 3.1.3
(From OE-Core rev: 3e43f3925bce640999a25ceb855a77d8cd0afd26)

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 402254a5f841520b132508c21465111d33b6eb1a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2023-01-06 17:33:23 +00:00