The previous fix for CVE-2024-43398 did not include patches
to provide context for the changes it made.
This caused an exception at run-time when ruby parsed
rexml/parsers/baseparser.rb. This was first observed when using
ruby-native to build the sdformat recipe.
With these additional backports, the sdformat build proceeds
successfully. The REXML library was also tested manually on-target
with a script that used REXML::Document.new file to parse an
XML file.
(From OE-Core rev: 6bf00fde2d4043c6b558733a33041ce5694342d3)
Signed-off-by: Rob Woolley <rob.woolley@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS
vulnerability when it parses an XML that has many deep elements that have
same local name attributes. If you need to parse untrusted XMLs with tree
parser API like REXML::Document.new, you may be impacted to this vulnerability.
If you use other parser APIs such as stream parser API and SAX2 parser API,
this vulnerability is not affected. The REXML gem 3.3.6 or later include the
patch to fix the vulnerability.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-43398
Upstream-patch:
7cb5eaeb22
(From OE-Core rev: f23d1bfca0ea57150c397bc2e495191fb61423d0)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS
vulnerability when it parses an XML that has many entity expansions
with SAX2 or pull parser API. The REXML gem 3.3.3 or later include
the patch to fix the vulnerability.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41946
Upstream-patch:
033d1909a8
(From OE-Core rev: b0e74fd8922bba8e954a223ec46de5c33d2ff743)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS
vulnerability when it parses an XML that has many digits between &# and x...;
in a hex numeric character reference (&#x.... This does not happen with
Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby.
The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
CVE-2024-49761-0009.patch is the CVE fix and rest are dependent commits.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-49761
Upstream-patch:
810d22852383ca5c4b0f51217dbcc67e4049f6a6fc6cad570b7712855547370666e314a579730f25ce59f2eb1a
(From OE-Core rev: 5b453400e9dd878b81b1447d14b3f518809de17e)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The presence or lack of nroff on the host was changing the doc type. Set it
explicitly to be deterministic and reproducible.
(From OE-Core rev: dd857d2519fd4f38c67a6fa0087f72798166467a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f5053abb8957acf358b518ee3c76146dc5f4eb6c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A buffer-overread issue was discovered in StringIO 3.0.1, as
distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through
3.1.4. The ungetbyte and ungetc methods on a StringIO can
read past the end of a string, and a subsequent call to
StringIO.gets may return the memory value. 3.0.3 is the main
fixed version; however, for Ruby 3.0 users, a fixed version
is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version
is stringio 3.0.1.2.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-27280
(From OE-Core rev: 729310d17310dff955c51811ff3339fdbc017b95)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
