microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

upgrade rubygem-rexml to 3.2.7 to resolve CVE-2024-35176 (#9282) 

Co-authored-by: minghe <rmhsawyer>
This commit is contained in:
Minghe Ren 2024-05-31 17:03:13 -07:00 коммит произвёл GitHub
Родитель 6e4ebc6899
Коммит 513297d3dc
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
4 изменённых файлов: 9 добавлений и 196 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

190
SPECS/rubygem-rexml/CVE-2024-35176.patch
Просмотреть файл

@ -1,190 +0,0 @@
diff -ruN a/Gemfile b/Gemfile
--- a/Gemfile 2021-04-05 04:43:38.000000000 -0700
+++ b/Gemfile 2024-05-29 00:06:13.851182285 -0700
@@ -4,3 +4,7 @@
# Specify your gem's dependencies in rexml.gemspec
gemspec
+
+group :development do
+ gem "test-unit-ruby-core"
+end
diff -ruN a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
--- a/lib/rexml/parsers/baseparser.rb 2021-04-05 04:43:38.000000000 -0700
+++ b/lib/rexml/parsers/baseparser.rb 2024-05-28 18:53:32.656078157 -0700
@@ -589,60 +589,41 @@
def parse_attributes(prefixes, curr_ns)
attributes = {}
closed = false
- match_data = @source.match(/^(.*?)(\/)?>/um, true)
- if match_data.nil?
- message = "Start tag isn't ended"
- raise REXML::ParseException.new(message, @source)
- end
-
- raw_attributes = match_data[1]
- closed = !match_data[2].nil?
- return attributes, closed if raw_attributes.nil?
- return attributes, closed if raw_attributes.empty?
-
- scanner = StringScanner.new(raw_attributes)
- until scanner.eos?
- if scanner.scan(/\s+/)
- break if scanner.eos?
- end
-
- pos = scanner.pos
- loop do
- break if scanner.scan(ATTRIBUTE_PATTERN)
- unless scanner.scan(QNAME)
- message = "Invalid attribute name: <#{scanner.rest}>"
- raise REXML::ParseException.new(message, @source)
- end
- name = scanner[0]
- unless scanner.scan(/\s*=\s*/um)
+ while true
+ if @source.match(">", true)
+ return attributes, closed
+ elsif @source.match("/>", true)
+ closed = true
+ return attributes, closed
+ elsif match = @source.match(QNAME, true)
+ name = match[1]
+ prefix = match[2]
+ local_part = match[3]
+ unless @source.match(/\s*=\s*/um, true)
message = "Missing attribute equal: <#{name}>"
raise REXML::ParseException.new(message, @source)
end
- quote = scanner.scan(/['"]/)
- unless quote
+ unless match = @source.match(/(['"])(.*?)\1\s*/um, true)
+ if match = @source.match(/(['"])/, true)
+ message =
+ "Missing attribute value end quote: <#{name}>: <#{match[1]}>"
+ raise REXML::ParseException.new(message, @source)
+ else
+ message = "Missing attribute value start quote: <#{name}>"
+ raise REXML::ParseException.new(message, @source)
+ end
+ unless match = @source.match(/(['"])/, true)
message = "Missing attribute value start quote: <#{name}>"
raise REXML::ParseException.new(message, @source)
end
- unless scanner.scan(/.*#{Regexp.escape(quote)}/um)
- match_data = @source.match(/^(.*?)(\/)?>/um, true)
- if match_data
- scanner << "/" if closed
- scanner << ">"
- scanner << match_data[1]
- scanner.pos = pos
- closed = !match_data[2].nil?
- next
- end
- message =
- "Missing attribute value end quote: <#{name}>: <#{quote}>"
+ quote = match[1]
+ value = @source.read_until(quote)
+ unless value.chomp!(quote)
+ message = "Missing attribute value end quote: <#{name}>: <#{quote}>"
raise REXML::ParseException.new(message, @source)
end
- end
- name = scanner[1]
- prefix = scanner[2]
- local_part = scanner[3]
- # quote = scanner[4]
- value = scanner[5]
+ value = match[2]
+ @source.match(/\s*/um, true)
if prefix == "xmlns"
if local_part == "xml"
if value != "http://www.w3.org/XML/1998/namespace"
diff -ruN a/lib/rexml/source.rb b/lib/rexml/source.rb
--- a/lib/rexml/source.rb 2021-04-05 04:43:38.000000000 -0700
+++ b/lib/rexml/source.rb 2024-05-28 17:10:36.356913505 -0700
@@ -81,7 +81,11 @@
rv
end
- def read
+ def read(term = nil)
+ end
+
+ def read_until(term)
+ @scanner.scan_until(Regexp.union(term)) or @scanner.rest
end
def consume( pattern )
@@ -204,11 +208,28 @@
rv
end
- def read
+ def read(term = nil)
begin
- @buffer << readline
+ @scanner << readline(term)
+ true
rescue Exception, NameError
@source = nil
+ false
+ end
+ end
+
+ def read_until(term)
+ pattern = Regexp.union(term)
+ data = []
+ begin
+ until str = @scanner.scan_until(pattern)
+ @scanner << readline(term)
+ end
+ rescue EOFError
+ @scanner.rest
+ else
+ read if @scanner.eos? and !@source.eof?
+ str
end
end
@@ -263,8 +284,8 @@
end
private
- def readline
- str = @source.readline(@line_break)
+ def readline(term = nil)
+ str = @source.readline(term || @line_break)
if @pending_buffer
if str.nil?
str = @pending_buffer
diff -ruN a/test/test_document.rb b/test/test_document.rb
--- a/test/test_document.rb 2021-04-05 04:43:38.000000000 -0700
+++ b/test/test_document.rb 2024-05-29 00:08:01.164345808 -0700
@@ -1,8 +1,12 @@
# -*- coding: utf-8 -*-
# frozen_string_literal: false
+require 'core_assertions'
+
module REXMLTests
class TestDocument < Test::Unit::TestCase
+ include Test::Unit::CoreAssertions
+
def test_version_attributes_to_s
doc = REXML::Document.new(<<-eoxml)
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
@@ -200,6 +204,13 @@
assert_equal('no', doc.stand_alone?, bug2539)
end
+ def test_gt_linear_performance
+ seq = [10000, 50000, 100000, 150000, 200000]
+ assert_linear_performance(seq) do |n|
+ REXML::Document.new('<test testing="' + ">" * n + '"></test>')
+ end
+ end
+
class WriteTest < Test::Unit::TestCase
def setup
@document = REXML::Document.new(<<-EOX)

2
SPECS/rubygem-rexml/rubygem-rexml.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"rexml-3.2.5.tar.gz": "23b7a82bf41bcd1201f67e7ca6e795eee1bb76dce94cd7abf411969e39c5c71d"
"rexml-3.2.7.tar.gz": "e17b16cf079251c76226d8aa96a2e8ba9633d600cf6ef28fe28b08b664383387"
}
}

9
SPECS/rubygem-rexml/rubygem-rexml.spec
Просмотреть файл

@ -2,15 +2,14 @@
%global gem_name rexml
Summary: REXML is an XML toolkit for Ruby
Name: rubygem-%{gem_name}
Version: 3.2.5
Release: 2%{?dist}
Version: 3.2.7
Release: 1%{?dist}
License: BSD
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Development/Languages
URL: https://github.com/ruby/rexml
Source0: https://github.com/ruby/rexml/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
Patch0: CVE-2024-35176.patch
BuildRequires: git
BuildRequires: ruby
Requires: ruby(release)
@ -35,6 +34,10 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
%{gemdir}
%changelog
* Fri May 31 2024 Minghe Ren <mingheren@microsoft.com> - 3.2.7-1
- Upgrade to 3.2.7 to resolve CVE-2024-35176
- Remove CVE-2024-35176.patch as it is no longer needed
* Tue May 28 2024 Minghe Ren <mingheren@microsoft.com> - 3.2.5-2
- Add patch for CVE-2024-35176

4
cgmanifest.json
Просмотреть файл

@ -26915,8 +26915,8 @@
"type": "other",
"other": {
"name": "rubygem-rexml",
"version": "3.2.5",
"downloadUrl": "https://github.com/ruby/rexml/archive/refs/tags/v3.2.5.tar.gz"
"version": "3.2.7",
"downloadUrl": "https://github.com/ruby/rexml/archive/refs/tags/v3.2.7.tar.gz"
}
}
},