mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-10 05:49:28 +00:00
Code Issues Projects Releases Wiki Activity
68,657 Commits 38 Branches 624 Tags
b4825be8068153c45308e108dfdaf67e8ebd84d9
Commit Graph

9 Commits

Author SHA1 Message Date
Divya Chellam 61c55b9e30 ruby: fix CVE-2024-49761 
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS
vulnerability when it parses an XML that has many digits between &# and x...;
in a hex numeric character reference (&#x.... This does not happen with
Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby.
The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

CVE-2024-49761-0009.patch is the CVE fix and rest are dependent commits.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-49761

Upstream-patch:
https://github.com/ruby/rexml/commit/810d2285235d5501a0a124f300832e6e9515da3c
https://github.com/ruby/rexml/commit/83ca5c4b0f76cf7b307dd1be1dc934e1e8199863
https://github.com/ruby/rexml/commit/51217dbcc64ecc34aa70f126b103bedf07e153fc
https://github.com/ruby/rexml/commit/7e4049f6a68c99c4efec2df117057ee080680c9f
https://github.com/ruby/rexml/commit/fc6cad570b849692a28f26a963ceb58edc282bbc
https://github.com/ruby/rexml/commit/77128555476cb0db798e2912fb3a07d6411dc320
https://github.com/ruby/rexml/commit/370666e314816b57ecd5878e757224c3b6bc93f5
https://github.com/ruby/rexml/commit/a579730f25ec7443796495541ec57c071b91805d
https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f

(From OE-Core rev: 5b453400e9dd878b81b1447d14b3f518809de17e)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2025-01-18 06:21:02 -08:00
Richard Purdie d91c2b204e ruby: Make docs generation deterministic 
The presence or lack of nroff on the host was changing the doc type. Set it
explicitly to be deterministic and reproducible.

(From OE-Core rev: dd857d2519fd4f38c67a6fa0087f72798166467a)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f5053abb8957acf358b518ee3c76146dc5f4eb6c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2024-09-16 06:09:56 -07:00
Ashish Sharma 6d58d0c4a2 ruby: backport fix for CVE-2024-27282 
Upstream-Status: Backport [https://github.com/ruby/ruby/commit/989a2355808a63fc45367785c82ffd46d18c900a]
(From OE-Core rev: 94a0350058e51c4b05bf5d4e02d048c2e6256725)

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2024-07-24 07:51:58 -07:00
Yogita Urade 52f1435174 ruby: fix CVE-2024-27280 
A buffer-overread issue was discovered in StringIO 3.0.1, as
distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through
3.1.4. The ungetbyte and ungetc methods on a StringIO can
read past the end of a string, and a subsequent call to
StringIO.gets may return the memory value. 3.0.3 is the main
fixed version; however, for Ruby 3.0 users, a fixed version
is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version
is stringio 3.0.1.2.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-27280

(From OE-Core rev: 729310d17310dff955c51811ff3339fdbc017b95)

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2024-06-26 05:04:39 -07:00
Yogita Urade 70c869275a ruby: fix CVE-2024-27281 
ruby: RCE vulnerability with .rdoc_options in RDoc

References:
https://github.com/ruby/ruby/pull/10316
https://security-tracker.debian.org/tracker/CVE-2024-27281

(From OE-Core rev: d01b73c51ceead4911a9a9306dbe728f1db2e029)

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2024-04-21 06:33:34 -07:00
Meenali Gupta a54b91946c ruby: fix CVE-2023-36617 
Backport two patches [1] [2] to fix CVE-2023-36617

(From OE-Core rev: 7a40082e4e080eaf5f88bd24f7169b7731028529)

Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2023-09-30 09:43:59 -10:00
Mingli Yu 6cff3875fe ruby: Fix CVE-2023-28755 
Backport patch [1] to fix CVE-2023-28755.

[1] https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300

(From OE-Core rev: 605634cf1adef2d9cf6dc6fdf17aa4032385497f)

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2023-05-03 04:17:12 -10:00
Hitendra Prajapati be5ebd6b3f ruby: CVE-2023-28756 ReDoS vulnerability in Time 
Upstream-Status: Backport from https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e

(From OE-Core rev: 0f8eb0505e19ccd27e1b91f27285a9fc87f2aa93)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2023-04-26 04:03:21 -10:00
Alexander Kanavin 1aa3cb0169 ruby: update 3.1.2 -> 3.1.3 
(From OE-Core rev: 3e43f3925bce640999a25ceb855a77d8cd0afd26)

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 402254a5f841520b132508c21465111d33b6eb1a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2023-01-06 17:33:23 +00:00