mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-03-10 01:09:40 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ad756dec39fd654025b4bb82a3389e49e68a0253
poky/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0006.patch
Divya Chellam 61c55b9e30 ruby: fix CVE-2024-49761 
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS
vulnerability when it parses an XML that has many digits between &# and x...;
in a hex numeric character reference (&#x.... This does not happen with
Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby.
The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

CVE-2024-49761-0009.patch is the CVE fix and rest are dependent commits.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-49761

Upstream-patch:
810d228523
83ca5c4b0f
51217dbcc6
7e4049f6a6
fc6cad570b
7712855547
370666e314
a579730f25
ce59f2eb1a

(From OE-Core rev: 5b453400e9dd878b81b1447d14b3f518809de17e)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-01-18 06:21:02 -08:00

80 lines
3.3 KiB
Diff
Raw Blame History

From 77128555476cb0db798e2912fb3a07d6411dc320 Mon Sep 17 00:00:00 2001
From: NAITOH Jun <naitoh@gmail.com>
Date: Sun, 21 Jan 2024 20:02:00 +0900
Subject: [PATCH] Use `@scanner << readline` instead of `@scanner.string =
@scanner.rest + readline` (#107)
JRuby's `StringScanner#<<` and `StringScanner#scan` OutOfMemoryError has
been resolved in strscan gem 3.0.9.
https://github.com/ruby/strscan/issues/83
```
RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22]
Calculating -------------------------------------
before after before(YJIT) after(YJIT)
dom 10.958 11.044 16.615 16.783 i/s - 100.000 times in 9.126104s 9.055023s 6.018799s 5.958437s
sax 29.624 29.609 44.390 45.370 i/s - 100.000 times in 3.375641s 3.377372s 2.252774s 2.204080s
pull 33.868 34.695 51.173 53.492 i/s - 100.000 times in 2.952679s 2.882229s 1.954138s 1.869422s
stream 31.719 32.351 43.604 45.403 i/s - 100.000 times in 3.152713s 3.091052s 2.293356s 2.202514s
Comparison:
dom
after(YJIT): 16.8 i/s
before(YJIT): 16.6 i/s - 1.01x slower
after: 11.0 i/s - 1.52x slower
before: 11.0 i/s - 1.53x slower
sax
after(YJIT): 45.4 i/s
before(YJIT): 44.4 i/s - 1.02x slower
before: 29.6 i/s - 1.53x slower
after: 29.6 i/s - 1.53x slower
pull
after(YJIT): 53.5 i/s
before(YJIT): 51.2 i/s - 1.05x slower
after: 34.7 i/s - 1.54x slower
before: 33.9 i/s - 1.58x slower
stream
after(YJIT): 45.4 i/s
before(YJIT): 43.6 i/s - 1.04x slower
after: 32.4 i/s - 1.40x slower
before: 31.7 i/s - 1.43x slower
```
- YJIT=ON : 1.01x - 1.05x faster
- YJIT=OFF : 1.00x - 1.02x faster
CVE: CVE-2024-49761
Upstream-Status: Backport [https://github.com/ruby/rexml/commit/77128555476cb0db798e2912fb3a07d6411dc320]
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
.bundle/gems/rexml-3.2.5/lib/rexml/source.rb | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
index 71b08f9..db78a12 100644
--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
@@ -149,11 +149,7 @@ module REXML
def read
begin
- # NOTE: `@scanner << readline` does not free memory, so when parsing huge XML in JRuby's DOM,
- # out-of-memory error `Java::JavaLang::OutOfMemoryError: Java heap space` occurs.
- # `@scanner.string = @scanner.rest + readline` frees memory that is already consumed
- # and avoids this problem.
- @scanner.string = @scanner.rest + readline
+ @scanner << readline
rescue Exception, NameError
@source = nil
end
--
2.40.0
Reference in New Issue View Git Blame Copy Permalink