mirror of
https://git.yoctoproject.org/poky
synced 2026-04-13 23:02:30 +02:00
6639c7b295
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41123 Upstream-patches:2c39c91a654444a04eceebc3e85bfa6cac15d458e2546e6eca(From OE-Core rev: 6b2a2e689a69deef6098f6c266542234e46fb24b) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
45 lines
2.0 KiB
Diff
45 lines
2.0 KiB
Diff
From 2c39c91a65d69357cfbc35dd8079b3606d86bb70 Mon Sep 17 00:00:00 2001
|
|
From: Watson <watson1978@gmail.com>
|
|
Date: Fri, 19 Jul 2024 17:15:15 +0900
|
|
Subject: [PATCH] Fix method scope in test in order to invoke the tests
|
|
properly and fix exception message (#182)
|
|
|
|
This PR includes following two fixes.
|
|
|
|
1. The `test_empty` and `test_linear_performance_gt` were defined as
|
|
private method. Seems that test-unit runner does not invoke private
|
|
methods even if the methods have `test_` prefix.
|
|
2. When parse malformed entity declaration, the exception might have the
|
|
message about `NoMethodError`. The proper exception message will be
|
|
contained by this fix.
|
|
|
|
CVE: CVE-2024-41123
|
|
|
|
Upstream-Status: Backport [https://github.com/ruby/rexml/commit/2c39c91a65d69357cfbc35dd8079b3606d86bb70]
|
|
|
|
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
|
|
---
|
|
.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
|
|
index 4864ba1..451fbf8 100644
|
|
--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
|
|
+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
|
|
@@ -308,7 +308,11 @@ module REXML
|
|
raise REXML::ParseException.new( "Bad ELEMENT declaration!", @source ) if md.nil?
|
|
return [ :elementdecl, "<!ELEMENT" + md[1] ]
|
|
elsif @source.match("ENTITY", true)
|
|
- match = [:entitydecl, *@source.match(Private::ENTITYDECL_PATTERN, true, term: Private::ENTITY_TERM).captures.compact]
|
|
+ match_data = @source.match(Private::ENTITYDECL_PATTERN, true, term: Private::ENTITY_TERM)
|
|
+ unless match_data
|
|
+ raise REXML::ParseException.new("Malformed entity declaration", @source)
|
|
+ end
|
|
+ match = [:entitydecl, *match_data.captures.compact]
|
|
ref = false
|
|
if match[1] == '%'
|
|
ref = true
|
|
--
|
|
2.40.0
|
|
|