Fix for CVE-2024-39908 in rubygem-rexml (#10188)

SPECS/rubygem-rexml/add-support-for-old-strscan.patch

@@ -1,129 +0,0 @@
-From f1df7d13b3e57a5e059273d2f0870163c08d7420 Mon Sep 17 00:00:00 2001
-From: Sutou Kouhei <kou@clear-code.com>
-Date: Mon, 20 May 2024 12:17:27 +0900
-Subject: [PATCH] Add support for old strscan
-
-Fix GH-132
-
-If we support old strscan, users can also use strscan installed as a
-default gem.
-
-Reported by Adam. Thanks!!!
----
- .github/workflows/test.yml      | 32 ++++++++++++++++++++++----------
- lib/rexml/parsers/baseparser.rb | 11 +++++++++++
- rexml.gemspec                   |  2 +-
- 3 files changed, 34 insertions(+), 11 deletions(-)
-
-diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
-index fd26b9a..f977de6 100644
---- a/.github/workflows/test.yml
-+++ b/.github/workflows/test.yml
-@@ -3,14 +3,14 @@ on:
-   - push
-   - pull_request
- jobs:
--  ruby-versions:
-+  ruby-versions-inplace:
-     uses: ruby/actions/.github/workflows/ruby_versions.yml@master
-     with:
-       engine: cruby-jruby
-       min_version: 2.5
-
-   inplace:
--    needs: ruby-versions
-+    needs: ruby-versions-inplace
-     name: "Inplace: ${{ matrix.ruby-version }} on ${{ matrix.runs-on }}"
-     runs-on: ${{ matrix.runs-on }}
-     strategy:
-@@ -20,7 +20,7 @@ jobs:
-           - ubuntu-latest
-           - macos-latest
-           - windows-latest
--        ruby-version: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
-+        ruby-version: ${{ fromJson(needs.ruby-versions-inplace.outputs.versions) }}
-         exclude:
-           - {runs-on: macos-latest, ruby-version: 2.5}
-         # include:
-@@ -47,7 +47,14 @@ jobs:
-       - name: Test
-         run: bundle exec rake test RUBYOPT="--enable-frozen-string-literal"
-
-+  ruby-versions-gem:
-+    uses: ruby/actions/.github/workflows/ruby_versions.yml@master
-+    with:
-+      engine: cruby-jruby
-+      min_version: 3.0
-+
-   gem:
-+    needs: ruby-versions-gem
-     name: "Gem: ${{ matrix.ruby-version }} on ${{ matrix.runs-on }}"
-     runs-on: ${{ matrix.runs-on }}
-     strategy:
-@@ -57,21 +64,26 @@ jobs:
-           - ubuntu-latest
-           - macos-latest
-           - windows-latest
--        ruby-version:
--          - "3.0"
--          - head
-+        ruby-version: ${{ fromJson(needs.ruby-versions-gem.outputs.versions) }}
-     steps:
-       - uses: actions/checkout@v4
-       - uses: ruby/setup-ruby@v1
-         with:
-           ruby-version: ${{ matrix.ruby-version }}
-       - name: Install as gem
--        env:
--          BUNDLE_PATH__SYSTEM: "true"
--          BUNDLE_WITHOUT: "benchmark:development"
-         run: |
-           rake install
--          bundle install
-+      - name: Install test dependencies on non-Windows
-+        if: matrix.runs-on != 'windows-latest'
-+        run: |
-+          for gem in $(ruby -e 'puts ARGF.read[/^group :test do(.*)^end/m, 1].scan(/"(.+?)"/)' Gemfile); do
-+            gem install ${gem}
-+          done
-+      - name: Install test dependencies on Windows
-+        if: matrix.runs-on == 'windows-latest'
-+        run: |
-+          gem install test-unit
-+          gem install test-unit-ruby-core
-       - name: Test
-         run: |
-           ruby -run -e mkdir -- tmp
-diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
-index d09237c..da051a7 100644
---- a/lib/rexml/parsers/baseparser.rb
-+++ b/lib/rexml/parsers/baseparser.rb
-@@ -7,6 +7,17 @@
-
- module REXML
-   module Parsers
-+    if StringScanner::Version < "3.0.8"
-+      module StringScannerCaptures
-+        refine StringScanner do
-+          def captures
-+            values_at(*(1...size))
-+          end
-+        end
-+      end
-+      using StringScannerCaptures
-+    end
-+
-     # = Using the Pull Parser
-     # <em>This API is experimental, and subject to change.</em>
-     #  parser = PullParser.new( "<a>text<b att='val'/>txet</a>" )
-diff --git a/rexml.gemspec b/rexml.gemspec
-index 97eac65..169e49d 100644
---- a/rexml.gemspec
-+++ b/rexml.gemspec
-@@ -55,5 +55,5 @@ Gem::Specification.new do |spec|
-
-   spec.required_ruby_version = '>= 2.5.0'
-
--  spec.add_runtime_dependency("strscan", ">= 3.0.9")
-+  spec.add_runtime_dependency("strscan")
- end

SPECS/rubygem-rexml/rubygem-rexml.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "rexml-3.2.8.tar.gz": "44c1d11af52fba515380867980ff1e30b3a3d303cb90a7ca89659563969f3444"
+  "rexml-3.3.4.tar.gz": "c6ab9da9502b2a5e824925de5f5774d9222c377d0537393f560fba71e0f868c7"
  }
 }

SPECS/rubygem-rexml/rubygem-rexml.spec

@@ -2,7 +2,7 @@
 %global gem_name rexml
 Summary:        REXML is an XML toolkit for Ruby
 Name:           rubygem-%{gem_name}
-Version:        3.2.8
+Version:        3.3.4
 Release:        1%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
@@ -10,7 +10,6 @@ Distribution:   Azure Linux
 Group:          Development/Languages
 URL:            https://github.com/ruby/rexml
 Source0:        https://github.com/ruby/rexml/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
-Patch0:         add-support-for-old-strscan.patch
 BuildRequires:  git
 BuildRequires:  ruby
 Requires:       ruby(release)
@@ -35,6 +34,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
 %{gemdir}
 
 %changelog
+* Fri Aug 9 2024 Bhagyashri Pathak <bhapathak@microsoft.com> - 3.3.4-1
+- Upgrade to 3.3.4 to resolve CVE-2024-39908
+
 * Wed May 22 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 3.2.8-1
 - Upgrade to v3.2.8 to fix CVE-2024-35176
 - Add patch to support old strscan

cgmanifest.json

@@ -26654,8 +26654,8 @@
         "type": "other",
         "other": {
           "name": "rubygem-rexml",
-          "version": "3.2.8",
-          "downloadUrl": "https://github.com/ruby/rexml/archive/refs/tags/v3.2.8.tar.gz"
+          "version": "3.3.4",
+          "downloadUrl": "https://github.com/ruby/rexml/archive/refs/tags/v3.3.4.tar.gz"
         }
       }
     },