mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-16 07:53:47 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
393064579dfdd0ed2d4ed4c27d238d7d2292c08b
poky/meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0003.patch
Divya Chellam 6639c7b295 ruby: fix CVE-2024-41123 
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS
vulnerabilities when it parses an XML that has many specific characters
such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later
include the patches to fix these vulnerabilities.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41123

Upstream-patches:
2c39c91a65
4444a04ece
ebc3e85bfa
6cac15d458
e2546e6eca

(From OE-Core rev: 6b2a2e689a69deef6098f6c266542234e46fb24b)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-12-01 06:50:49 -08:00

56 lines
1.8 KiB
Diff
Raw Blame History

From ebc3e85bfa2796fb4922c1932760bec8390ff87c Mon Sep 17 00:00:00 2001
From: NAITOH Jun <naitoh@gmail.com>
Date: Mon, 8 Jul 2024 05:54:06 +0900
Subject: [PATCH] Add position check for XML declaration (#162)
XML declaration must be the first item.
https://www.w3.org/TR/2006/REC-xml11-20060816/#document
```
[1] document ::= ( prolog element Misc* ) - ( Char* RestrictedChar Char* )
```
https://www.w3.org/TR/2006/REC-xml11-20060816/#NT-prolog
```
[22] prolog ::= XMLDecl Misc* (doctypedecl Misc*)?
```
https://www.w3.org/TR/2006/REC-xml11-20060816/#NT-XMLDecl
```
[23] XMLDecl ::= '<?xml' VersionInfo EncodingDecl? SDDecl? S? '?>'
```
See: https://github.com/ruby/rexml/pull/161#discussion_r1666118193
CVE: CVE-2024-41123
Upstream-Status: Backport [https://github.com/ruby/rexml/commit/ebc3e85bfa2796fb4922c1932760bec8390ff87c]
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
index 451fbf8..71fce99 100644
--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
@@ -670,7 +670,10 @@ module REXML
@source.position = start_position
raise REXML::ParseException.new(message, @source)
end
- if @document_status.nil? and match_data[1] == "xml"
+ if match_data[1] == "xml"
+ if @document_status
+ raise ParseException.new("Malformed XML: XML declaration is not at the start", @source)
+ end
content = match_data[2]
version = VERSION.match(content)
version = version[1] unless version.nil?
--
2.40.0
Reference in New Issue View Git Blame Copy Permalink